Rephrasing this whole post with more info, and with a more specific question:

Hi - we are having difficulty adding users thru LFDS in our multi-forest environment.  We run LF in a two-forest network, where the forests have two-way trust, but selective authentication, so permission must be explicitly granted to cross the forest boundary.  Currently, I am able to add the distant (meaning "in the other forest") AD identity providers within LFDS - so I am able to establish contact with the domain controller(s), but am unable to browse for and add users.

My first attempt to browse a distant AD database failed such that I could not get past the credentials screen while trying to add users.  The account being used did not have permission to login to the distant domain controller (DC).  However, when we grant that account permission to access the DC, it still fails to authenticate.

Second attempt was having our domain admin use an admin account from the distant domain.  In this case, the account authenticates, but we get error "LFDS19 - No User Found".  Regardless of what search string we use, we always get this error.

Third datapoint - we can add these same AD users through the Admin Console directly into a repository, using the distant admin account.  So, from this I conclude that the account has enough permission to access AD and browse, but the mechanism used by LFDS (as opposed to the native windows method in the Admin Console) is breaking for a reason I don't understand.  (I have read some info regarding Kerberos, the "Negotiate" protocol, and the two-hop authentication problem - I believe we are configured properly on our LFDS box, but not 100% certain.)

So, my question is: what is different about LFDS compared to the Admin Console, and what set of configurations must I set to accomplish this task??  If you believe it is related to Kerberos, can you specify the config reqts?

Any thoughts or info is greatly appreciated.

Thanks, .... Steven.