F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 18, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file.     Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 22, 2013
East Coast, you may already know this, but for the larger audience, your suspicions were correct. Kerberos S4U does in fact require a two-way trust between domains/forests.

 

 

http://support.microsoft.com/?kbid=954739

 

http://msdn.microsoft.com/en-us/magazine/cc188757.aspx

 

 

Thanks to some internal F5 folks for finding these articles. I wasn't sure either.

 

 

That said, I see a potential alternative. Given that you're authenticating the user via form logon, you have the credentials (and I assume the domain) to perform an HTTP Basic or NTLM authentication to the web server.