F5 APM and Kerberos SSO cross AD domain/forest
I’m not sure if this is the right forum, so apologize in advance if I need to post this some other place.
With the APM module I have a web application that I would like to publish. The authentication methodology for this app is IWA running of course under IIS. The application server is located in one AD forest/domain that has two way trust with another forest.
Websso Kerberos is enabled for that application with the correct KCD service account that has the correct SPN authorized.
Basic login page with some logic to retrieve the correct REALM of the user is set on the APM
When a user from the same domain as the application is logging on, SSO is working as expected and user is able to access the application being authenticated with a Kerberos ticket.
When a user from the other domain, member of the forest that has a two way forest trust where the application resides, Kerberos SSO fails.
Question: any idea what could be wrong and if this type of scenario is going to work with Kerberos SSO on the F5 APM module ?