APM + Active Directory Trusts

Question

We have two domains as follows:
domain.com (DOMAIN) child.domain.com (CHILD)
CHILD is a child domain of the parent domain in the same forest and thus there is a two way trust between them.
On our Exchange CAS (in parent domain) users can authenticate as follows:
DOMAIN\User1 CHILD\User2
This works fine.
APM is setup with an Active Directory AAA setup to the parent domain (domain.com) with an access rule as follows:Logon Page - AD Auth - SSO Credential Mapping - Full Resource Assign

This works for users in the parent domain....they go to the logon page enter their user name and all is good.
For users in the child domain it doesn't whatever they enter APM tries to authenticate them to the parent domain. So user enters CHILD\USER2 at APM and APM turns it into user2@domain.com.
Is there no way that APM can accept the domain name the user enters and authenticate to a child domain over a trust?

simon_kowallik1 · Answer

Have you set 'split domain from full username' in the logon page?
Have you select 'cross domain support' in AD Auth?&nbsp;

mike_aws_119486 · Answer

have tried split domain from username and cross domain support and various combinations thereof. Ended up with all kinds of strange combinations in the logs like:&nbsp;
I think the results were something like the following.....&nbsp;
Split Domain From UserName Enabled / Cross Domain Support Disabled:&nbsp;
2013-11-14 19:47:53 Username 'child\user2' Common 2013-11-14 19:47:53 AD module: authentication with '' failed: Client 'user2@domain.com' not found in Kerberos database, principal name: user2 2013-11-14 19:47:53 Following rule 'fallback' from item 'AD Auth' to ending 'Deny' &nbsp;
2013-11-14 19:48:13 Username 'user2@child.domain.com' Common 2013-11-14 19:48:13 AD module: authentication with '' failed: Client 'user2@domain.com' not found in Kerberos database, principal name: user2 2013-11-14 19:48:13 Following rule 'fallback' from item 'AD Auth' to ending 'Deny' &nbsp;
Split Domain From UserName Enabled / Cross Domain Support Enabled:&nbsp;
2013-11-14 20:03:25 Username 'child\user2' Common 2013-11-14 20:03:56 Username 'user2' Common 2013-11-14 20:03:56 Retry Username 'user2' Common 2013-11-14 20:09:15 \N: Session deleted due to user inactivity or errors. &nbsp;
2013-11-14 20:04:34 Username 'child\user2' Common 2013-11-14 20:04:49 \N: Session deleted due to admin initiated termination. Common 2013-11-14 20:04:49 Following rule 'fallback' from item 'AD Auth' to ending 'Deny' &nbsp;
2013-11-14 20:31:12 Username 'user2@child.domain.com' Common 2013-11-14 20:32:42 Username 'user2@child.domain.com' Common 2013-11-14 20:32:42 Retry Username 'user2' Common 2013-11-14 20:38:05 \N: Session deleted due to user inactivity or errors. &nbsp;
Split Domain From UserName Disabled / Cross Domain Support Enabled:&nbsp;
2013-11-14 20:34:36 Username 'child\user2' Common 2013-11-14 20:34:36 AD module: authentication with 'child\user2@domain.com' failed: Client 'child\user2\@domain.com@domain.com' not found in Kerberos database, principal name: child\user2@domain.com@domain.com. Please verify Active Directory and DNS configuration. (-1765328378) Common &nbsp;
2013-11-14 20:34:50 Username 'user2@child.domain.com' Common 2013-11-14 20:34:50 Retry Username 'user2@child.domain.com' Common 2013-11-14 20:34:51 AD module: authentication with 'user2\@child.domain.com@domain.com' failed: Client 'user2\@child.airmis.airwave &nbsp;
Basically I just want the user to be able to stipulate the domain and for APM to forward that to the DC.&nbsp;
Seems that in the APM AD config because you have entered the FQFN of 'domain.com' it doesn't understand there may be child domains/trusts.....&nbsp;

matt_dierick · Answer

This one should work : Split Domain From UserName Enabled / Cross Domain Support Enabled&nbsp;
Have you got any logs on DC side ???&nbsp;

kevin_stewart · Answer

Try this:&nbsp;

Add a session variable for session.logon.last.domain and set it to CHILD.DOMAIN.COM.&nbsp;

Enable cross domain support in the AD auth (split domain shouldn't matter for this test).&nbsp;

Run a WireShark from the DC and capture the Kerberos and DNS traffic from APM.&nbsp;

Test with just the username and password for a CHILD domain member (no domain association). &nbsp;

The split domain function is supposed to separate the domain portion of a username (domain\user or user@domain) and set that in the session.logon.last.domain variable. The above bypasses that to test just the Kerberos and DNS transactions. You want to APM contact its local KDC, get a referral for the CHILD domain, and then request a ticket from the CHILD domain.&nbsp;

mike_aws_119486 · Answer

Kevin,&nbsp;
Tried putting a session various into the access policy and logs show:&nbsp;
2013-11-15 18:23:06 Following rule 'fallback' from item 'Logon Page' to item 'Variable Assign' Common 2013-11-15 18:23:06 Rule evaluation failed with error: invalid command name "CHILD.DOMAIN.COM" Common 2013-11-15 18:23:06 Executed agent '/Common/DOMAIN-Exchange_act_variable_assign_ag', return value 0 &nbsp;
Probably doing something wrong....&nbsp;

Forum Discussion

APM + Active Directory Trusts

7 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

Azure Active Directory and BIG-IP APM Integration

EV Car Hacking, AI bypass KYC, LLM does not trust human, and Active Cyber Defense

Zero Trust Application Access for Federal Agencies

Complete MFA solution with GA stored in Active Directory

Remote Authorization via Active Directory

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS