Forum Discussion

prak_sh_237573's avatar
prak_sh_237573
Icon for Nimbostratus rankNimbostratus
Feb 09, 2016

How to configure 2 forest in Bigip APM

Hello friends,   I need some help regrading this requirement in bigip APM:   one of our customer is using bigip APM for exchange services. previously they configured one forest ADs in APM and t...
application delivery
BIG-IP Access Policy Manager (APM)
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 09, 2016

Well, it looks like w.test@DOMAIN2 is the user performing client side NTLM authentication to APM. If you're expecting some DOMAIN1 user, based on the Outlook profile, to be the one logging in, then you might have something misconfigured in Outlook. In any case, you're getting all the way to the Kerberos SSO functions, so you can be reasonably certain that client side authentication is working. Troubleshooting Kerberos SSO is a bit more involved, so you'll definitely want to enable APM SSO debug logging while you're working on this. That should at least give you more detailed logging. Are you hard-coding a domain name in the session.logon.last.domain session variable? If not, just for testing of DOMAIN2 users, try setting it manually in a variable assignment:

session.logon.last.domain = expo { "DOMAIN2" }