APM AD Auth and two AD forests with two way forest trust

Hi,

 

I am not AD or APM expert so probably it's some obvious thing I am missing :-(

 

Setup

 

Two forests domainA and domainB with two way forest trust set. Based on all suggested trust is working OK

 

APM policy with:

 

• AD AAA srv set for domainA
• Logon Page object with Username split enabled
• AD Auth with Cross Domain and AD AAA Srv mentioned before configured

Goal is to use same AAA srv to authenticate users from domainA and domainB against one AAA srv.

 

But it is not working...

 

• If user@domainA is entered on logon form everything is OK
• If user@domainB is entered on logon form authentication fails

Looking at traffic between APM and AAA srv I can se that for user@domainB in krb traffic APM sends:

 

• cname (or something like taht): user@domainB
• realm: domainA

and AD reply is error

 

So is that APM config error or I am missing something on AD side?

 

Piotr