APM + Active Directory Trust Support

If I may add, you say "AAA" and "VPE", so I have to assume you mean client side authentication (client to APM). This is an important distinction because the auth methods/options are different on the server side. If that's true, then you do have a few choices depending on how you want to authenticate users. If requesting username and password, it's probably best that you also require domain information so that you can switch AD/LDAP auth agents accordingly. If you're doing Kerberos on the client side, then it largely depends on how the trusts are established. Client side Kerberos is all about getting a decryptable request ticket to the APM VIP. In this regard it's a bit more flexible than server side Kerberos and can use a few different trust models (one-way, two-way).