AdAuth with domain in an other forest.

Hi,

 

We have APM in place for multiple applications in our main domain. Now we need to identify users in an other domain in a different forest.

 

We don't have any trust between the forests.

 

The two network can talk to each others, there is a conditional forwarder on the DNS of the main domain that point to the two domains controllers of domain B and we have set PTR too that resolve domain B ip addresses for the two controllers.

 

We only want to use AD Auth to identify the users, the credentials will not be sent to the site at the end of the policy, only an header added with iRule.

 

We get "Ad module: authentication with 'user' failed: Cannot contact any KDC for realm 'Domain_B', principal name : user@DOMAIN_B.com everytime we try to authenticate (Login page followed by AD Auth using domain B aaa server profile)

 

We can resolve domainb.com and domain B DCs names from the F5 unit. We can resolve the PTR too and get the right answer for _kerberos._tcp.domain_b.com and _kerberos._udp.domain_b.com

 

we tried to edit krb5.conf with

 

[realms] DOMAIN_B.COM = { kdc = dc1.domain_b.com kdc = dc2.domain_b.com admin_server = dc1.domain_b.com } [domain_realm] .domain_b.com = DOMAIN_B.COM domain_b.com = DOMAIN_B.COM

 

dns_lookup_kdc est egal a true (pre-existant configuration)

 

We can ping and telnet domain B servers from the F5 unit.

 

Would someone have an idea of what we are missing or a reference to some adequate documentation? I searched different F5 articles etc but do not seem to find the solution.

 

Also my new APM policy seem to be working only for https?

 

Thanks.