Forum Discussion
APM Active Directory Trusted Domains - how to use?
Hello,
I'm facing a similar problem
As I understand you have to set up first a trust relationship between DomainA and DomainB and then you configure the AD Trusted Domains in the APM.
The one that is configured as root is going to be asked for a Ticket to authenticate against the other domains.
So the root AD should be DomainA AD for A Users or DomainB for B Users.
Also another option could be Split the users by domain and authenticate each one with their AD, something like this:
https://f5guru.com/2014/11/17/apm-cookbook-multiple-domain-authentication-part-2/
Good luck!
- dragonflymrDec 05, 2017Cirrostratus
Hi,
Well, I did test for different configurations and can't see difference between:
- DomainA and DomainB with Two Way Forest Trust (could be on way as well)
- DC from DomainA set as AD AAA server
- Split used in Logon Page object
-
In AD Auth object:
- Cross Domain Support: enabled
- Server: set to AD AAA for DomainA
Same as above but:
- Trusted Domain object set with DomainA and DomainB AD AAA objects
- DomainA AD AAA set as root
- AD Auth using above Trusted Domain instead of Server option
Effect is exactly the same: both users from DomainA and DomainB can authenticate.
In both cases DomainA DC is sending KRBR referral when user from DomainB is trying to authenticate. Then APM is sending KRBR request to DomainB DC
So what is a point in using Trusted Domain?
Only I can think about is selecting which DC will be used as one responsible for sending KRBR referrals - is that only feature provided by Trusted Domains?
For sure APM is not choosing DC based on domain specified on Logon Page. For Trusted Domain config I always see (in Wireshark) first KRBR request send to DC set as root. No matter from which domain authenticating user is.
Am I missing something important here?
Piotr
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com