AAA - Active Directory with user that resides in another domain in trust

Question

Hi,  &nbsp;
We have few domains and we expect to use an unique AD account to query the servers. So, we try to configure AAA server AD with an user that resides in a specific domain name.  &nbsp;
I know its possible with LDAP setting, but we need some AD setting advantages, specially for password changes.    &nbsp;
Example:&nbsp;
AD  &nbsp;
Domain name: domain1.net  &nbsp;
Domain controller: adsrv1.domain1.net  &nbsp;
Admin name: user_bigip    &nbsp;
AD  &nbsp;
Domain name: domain2.net  &nbsp;
Domain controller: adsrv2.domain2.net  &nbsp;
Admin name: user_bigip@domain1.net    &nbsp;
AD  &nbsp;
Domain name: domain3.net  &nbsp;
Domain controller: adsrv3.domain3.net  &nbsp;
Admin name: user_bigip@domain1.net    &nbsp;
The result is that the Big-IP tries to query the bind with user_bigip@domain1.net@domain2.net  &nbsp;
With user name in old format (Domain\Username), Big-IP ignore back slash. e.g. domain1.netuser_bigip@domain2.net    &nbsp;
Is it possible to do? Could you give me some direction?&nbsp;
Thanks in advance.&nbsp;

arnaud_lemaire · Answer

Hello, did you enable split domain from username ?
from what your are describing it seems you are in usecase 2 of this doc : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/2.htmlunique_884796033&nbsp;

cjunior · Answer

Hi Arnaud,   &nbsp;
The split domain apparently works only to separate variables in the user login and not when query for AD.  &nbsp;
I tried to reproduce in lab and strangely doesn't have the same behavior that in production.  &nbsp;
Now, I just can see the domain names concatenating here in this log:    &nbsp;
May 24 19:20:18 bigipdelta debug apmd [11716]: 01490111: 7: / Common / portal_apm: Common: 6a7e774c: AD module: verifyKrb5Cache (): credential cache does not match with administrator \ @ @ f5lab.com F5LAB. NET&nbsp;
In the next, I can't see the names concatenated, so, I think that issue is just in my AD lab.    &nbsp;
May 24 19:20:19 bigipdelta err apmd [11716]: 01490107: 3: / Common / portal_apm: Common: 6a7e774c: AD module: query with '(&amp; (objectClass = user) (sAMAccountName = Bob))' failed: Realm not to place KDC main name: administrator@f5lab.com. Realm not found. Please VERIFY domain name configured. (-1765328316)&nbsp;
So, I'll try again in production environment a way to know whats happen.   &nbsp;
Thank you so much&nbsp;

Forum Discussion

AAA - Active Directory with user that resides in another domain in trust

2 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

irule execution error

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

Azure Active Directory and BIG-IP APM Integration

DevCentral 2024 - Share Another Day

VIP in https that redirect to another vip in https

Another Bash script to backup a BIG-IP device.

Complete MFA solution with GA stored in Active Directory

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS