Introduction:

In a multi-forest environment where a group that contains users from both forests are used in a workflow process, all the stipulated users are not resolved.  Only the users that are in the same forest as the group are resolved.  This is due to the forest relationship and users that are being registered as foreign security principals that are then identified by their SID and not their Distinguished Name. 

Error Scenario

Note: The circumstances described in this article are one scenario under which this issue may, or is known to occur. The description is intended to be specific to the scenario described and does not take into account all possible scenarios or circumstances.

To reproduce this error:

  1. Set up a multi forest environment consisting of two domain controllers, each in its own forest joined by a two-way transitive trust.
  2. Create a group in the one forest that contains users from both forests. 
  3. Register a new AD Service 2 instance with both domain LDAPs.
  4. Create a SmartObject of the service
  5. When executing the GetUsersByGroup SmartObject with only the group name nothing is returned.
  6. Add the NETBIOS\GroupName, it returns but only from the forest which contains the group.

Resolution:

 This Hotfix is contained within the latest K2 Update. Install the update package to resolve the error.