Forum Discussion
NimbostratusChanging AD UPN
We are using APM for Edge Client Access and SharePoint and other resources. We are considering changing the UPN in Active Directory, we are using multiple domains in our authentication scheme. Is this doable, what kind of issues am I looking at, could there be any work a rounds.
5 Replies
Cody_GreenEmployee
How is the multi-domain configuration setup today?
eburton_25849We are one forest with 2 authentication domains and one resource domain. Is that what you are looking for?
- Cody_Green
Kind of. Do you present the user with a drop down on the login page so they can select their domain or do you use Kerberos referrals in AD?
- MichaelatF5
Do your domains have a domain trust? I will assume yes, because if you didn't the UserDomain could not access the ResourceDomain.
So, If your domains are trusted, and authoritative for unique domain suffixes, then you can just make sure that DNS is properly configured in all domains, and allow LDAP forwarding to do its job.
Are you using Kerberos? You can enable DNS lookups for REALMS in the krb5.conf file on the BIG-IP to help. You can also hard code the KDC for the REALMS you know you need to support. You can also use an irule to determine which REALM users are in and modify as needed. This will make sure that when the request comes in to the KDC, it knows which KDC to send the request to for that specific REALM.
For example:
switch [ACCESS::policy agent_id] { "DOMAIN1" { ACCESS::session data set session.logon.last.domain "F5LAB.LOCAL" } "DOMAIN2" { ACCESS::session data set session.logon.last.domain "MSDOMAIN.LOCAL" } } - eburton_25849
We are using NTLM Domains corp.domainad.com and ncu.domainad.com and the users login using corp\ or ncu\ corp is setup as the default authentication domain. the new UPN being introduced to facilitate Office 365 is domain.com So far our testing with just one or two users seems to be working OK. I am worried about SSO.
