For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jspiglerj2rsolves's avatar
jspiglerj2rsolves
Icon for Nimbostratus rankNimbostratus
May 06, 2016

KCD SmartCard Two Domains Same Forest Users in both

Afternoon all,   Have a KCD APM question.   I have successfully been able to setup KCD in a singe domain instance. Both the resource the client is accessing, the F5 KCD account and the clients...
application delivery
BIG-IP Access Policy Manager (APM)
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 07, 2016

You're actually talking about a Kerberos "extension" referred to as "Canonical Referral". It's like a CNAME process for Kerberos. In any case, APM Kerberos doesn't follow these referrals today, so you have to tell it exactly which domain the user belongs to. This is complicated by the fact that your smartcard UPN doesn't match any single domain. So basically what you need to do is this:

 

  1. Insert an LDAP Query in the VPE that queries the domain(s) or GC. You need to extract the user's real domain and their sAMAccountName.

     

  2. Use the sAMAccountName and user's real domain as the Kerberos SSO input username and domain session values.