Forum Discussion
APM + Active Directory Trust Support
Hi All,
I've been tasked to see if APM can support authenticating users from two domains that have a trust between the two. I'm not 100% clear on the nature of the trust, but I'd like to get a feeling if it's possible before I devote any time to it. I also have a service account in each domain and can query both directly, if needed.
Thinking about this one, I can see it going two ways. One would be to have the directly connected domain (or preferred domain?) proxy the authentication requests for users in the other domain. The second way would be to have some kind of decision in the VPE to decide which AAA object to use to process the user's authentication request, but this is potentially more intrusive.
Thoughts? My goal is to make it as transparent to the user as possible.
Thanks.
2 Replies
Michael_Koyfma1Cirrus
This should definiteily work for you. The cleanest way would be to leverage two different AAA objects on the APM and authenticate against the proper domain based upon identifying where the user is - if you are able to make that determination based upon the username credentials supplied.
- Kevin_Stewart
Employee
If I may add, you say "AAA" and "VPE", so I have to assume you mean client side authentication (client to APM). This is an important distinction because the auth methods/options are different on the server side. If that's true, then you do have a few choices depending on how you want to authenticate users. If requesting username and password, it's probably best that you also require domain information so that you can switch AD/LDAP auth agents accordingly. If you're doing Kerberos on the client side, then it largely depends on how the trusts are established. Client side Kerberos is all about getting a decryptable request ticket to the APM VIP. In this regard it's a bit more flexible than server side Kerberos and can use a few different trust models (one-way, two-way).
