APM AD authentication with two domains

Hello all,

 

I have two domains DomainA and DomainB and a application.

 

This application lives in DomainB and must be accessed by DomainA users and DomainB users.

 

DomainB users can already login into the application and now I’m configuring DomainA authentication.

 

To make the things easier we have set a Unidirectional trust relationship between DomainA and DomainB, so users in DomainA can log into DomainB through Kerberos.

 

In the F5 I have configured an Active Directory Domain trust. Unfortunatelly, as I haven’t found further information of how to configure this, maybe I have done it the wrong way.

 

I selected the two ADs involved and setted as root the DomainB AD. I did it this way because in the SSO profile I have configured a Kerberos user which is created in DomainB and have delegated the access to the application with HTTP protocol.

 

What I don’t really understand is which AD should be the root knowing that the application lives in DomainB and some users live in DomainA. Also, where should be the Kerberos user created? In DomainA or DomainB.

 

As far as I know with the trust and DomainB AD as root when a DomainA user will try to authenticate the APM is going to ask for a Kerberos ticket to DomainB AD but I don’t know if the DomainB AD is going to forward the authentication request to DomainA AD or the request will be droped.

 

Thanks in advantage.