From reviewing our server logs it appears that the domain of the user's workstation is passed to the HP Trim application regardless of how they log onto the application (either double-click or by performing a 'run as').
Is there a configuration change that can be made to either the desktop client or the application authentication to allow it to recognize more than a single domain?
If you want to support multiple domains then just put in the user ID (without domain). When you launch TRIM your Windows Token is authenticated and then your username is checked against the location structure. So if you put in "mydomain\erik" into the TRIM location profile then I must be on the "mydomain" with NT-account "erik". If you just put in "erik" on the profile, I can come from any authenticated domain with NT-account "erik".
That is where our problem lies - we will allow these users to communicate on our network (via firewall rules) but their domain is NOT trusted to our AD. We were hoping to use the 'run as' statement to log into HP Trim with an AD account that we have established for them - but from a machine in their own domain.
As I mentioned before, the TRIM Application itself authenticates your Windows Token (much like every other application). If authorized to launch the application it will then pass your full user name from the token (domain and nt-account) to the workgroup server. The workgroup server then compares that to the locations in TRIM. If the nt-account exists on an active location profile then it let's you in.
If your domains are not trusted at all then I'm not sure how you're going to right-click and execute something from an untrusted domain. How is the local workstation going to get a valid windows token from a domain that isn't trusted? Does it work for other applications?
Either way in TRIM, just put the nt-account name (not the domain) into the login name field.
Our testing today did not produce the results I was hoping for. I did learn that our workgroup servers were set to authenticate to a specific domain. As I was told, there is the option to set it to check the domain for ALL users or individually for ALL users. Our server guy is seeing that he possibly can create a different dataset that we could set that authentication differently.
Our other experts would REALLY like to talk with someone from HP Trim that understands how their authentication functions. Does anyone have a suggestion on who that might be. I believe we have a support contract.