Untrusted domain between two forest for SQL connection

Here is my topology
Internal domain: inside.local (Two DCs)
DMZ Domain: outside.local (Two DCs)
Inside.local have a Web Application used by the local employees (Application is named  WebApp)
Outside.local, have a database that WebApp uses, its a C# running on IIS on Windows 2012
one-way trust relation, outside.local trust authentication request from inside.local

WebApp needs to connect to the database in the DMZ, but users are getting the following error message.
Error message: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

I try to use ODBC from WebApp Server to connect to the SQL Server in the and I got the same error message.
Note that this issue is not persistent, users may fail in login for about 1 minutes, and then it work fine and they can login and work fine for another 10 minutes, and so on..
I check the authentication protocol and its using NTLM
Any idea on why this may happense
Faris MalaebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vitor MontalvãoMSSQL Senior EngineerCommented:
When working with different domains you'll need first to trust them. You can follow the steps in this link.
After creating the trust between the domain you can now add users from the outside domain into the SQL Server instance logins so they can be able to connect to a database.
0
Faris MalaebAuthor Commented:
Hi, Thanks for the comment,
There is a one way trust, the Outside.local Trust the inside.local, and authentication request are working fine.
I can login to any server in Outside.local using Inside.local credentials.
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
I think it should be 2 ways trust as both domains needs to reply back to each other.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Faris MalaebAuthor Commented:
I enabled Netlogon Logging and I found some strange errors
06/21 11:58:32 [MISC] [688] In control handler (Opcode: 4)
06/21 11:58:34 [LOGON] [18268] SamLogon: Network logon of DOMAIN\Server1$ from Server1 Entered
06/21 11:58:39 [CRITICAL] [18268] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0020017)
06/21 11:58:39 [LOGON] [18268] SamLogon: Network logon of DOMAIN\Server1$ from Server1 Returns 0xC0020017
06/21 11:58:42 [MISC] [688] In control handler (Opcode: 4)
06/21 11:58:50 [LOGON] [18268] SamLogon: Network logon of DOMAIN\user1 from ClientPC1 Entered
06/21 11:58:53 [MISC] [688] In control handler (Opcode: 4)
06/21 11:58:53 [LOGON] [12296] SamLogon: Network logon of DOMAIN\user1 from ClientPC1 Entered
06/21 11:58:55 [CRITICAL] [18268] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0020017)
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
This is out of my expertise but by the logged error it seems that somebody here already had the issue. Check if the solution provided can help you.
0
Vitor MontalvãoMSSQL Senior EngineerCommented:
Otherwise check if the account isn't locked out.
0
Faris MalaebAuthor Commented:
Hi, the trust relationship oneway will be fine, it might be required to be twoway incase of Kerberos authentication.
The accounts are actually not locked out. I confirm that its working fine and no lockout in the history log.
0
Faris MalaebAuthor Commented:
Hi, I fixed the issue.
I updated the application web.config \ ConnectionString \ Integrated Security
The value was True, I change it to SSPI (Integrated Security=SSPI) and now its working fine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Faris MalaebAuthor Commented:
The problem is now fixed and the issue has disappeared.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
authenticaion

From novice to tech pro — start learning today.