Forum Discussion
David_123856
Nimbostratus
NimbostratusKerberos Authentication from Multiple Forests
I've set up an F5 APM device with some Kerberos auth using the steps here - http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-3-0/3.html and it is working for ...
Kevin_Stewart
Employee
EmployeeNo 401 message, not even one from an AD-bound server, would indicate anything about a specific domain or forest. The F5 in the Forest B environment doesn't care where you get the ticket from as long it can decrypt it based on the keytab. The client and/or KDC in Forest B have to figure that out. Further, the client shouldn't be sending a TGS request to Forest A. It should be sending a krbtgt request to Forest A for access to Forest B's KDC, to then send a TGS request to Forest B.
Is there a global catalog between these forests? Have you determined any DNS failures?