multi domain auth through trust realationship

Hi Guys

 

I am working on a deployment and have a question about Multi domain authentication through a trust relationship between the AD’s

 

Scenario

 

A user is presented with the with the Logon page from APM to authenticate before being redirected to the application, the user can be apart of the domainA or domainB

 

There is a one way trust between the domains, domainA trusts domainB (or the otherway around) as I am not and AD expert I may have the trusts the wrong way.

 

I have been labbing the authentication solution up and from what I can see the authentication works as follows.

 

I have created a AAA server for the domainA domain (AD object) I have created the following access policy

 

Logon page - AD AUTH (domainA.com AAA)

 

Enabled cross domain support (AD auth) and split domain from username (Logon page)

 

I can log in with an account from each domain but the authentication process isn’t working as expected.

 

When using the userA@domainA account the F5 knows the domain and authenticates to the AAA server

 

When using the userb@domainB account the F5 dosen’t know the domain and does a DNS query to find out

 

the domainb AD server, and then sends the authentication request there.

 

Is there a way to make the authentication request go to the domainA server and let the trust relationship then send this request to the domainb domain?

 

I have tried removing ‘split domain from username’ on the logon page and both authentication requests for users fail, using usera@domaina.com and userb@domainb.com, I could understand if my

 

trust wasn't setup correctly and wasn't able to authenticate the domainb account but I loose the ability to also authentication with the domianA account aswell.

 

if I just use 'username' which is located in the domainA.com domain I can authenticate.

 

Any suggestion would be great

 

F5 - 11.2.1 build 1148

 

Thanks

 

John