Forum Discussion
HerrDrachen
Altocumulus
AltocumulusMultiple AD Authentication
We have AD users in other domains that have a two-way trust with ours. We have people in two-way trusted domains that also need access to the same tenants. We are struggling to figure out how to include those AD users without just creating local users. Does anyone have experience using multiple AD domains or two-way trusted domains to authenticate to an F5 Tenant? We are using the r4600 series appliances.
I'm guessing on the User Directory dropdown, you don't see "Remote - APM Based"? I believe you need APM (Limited Mode) provisioned to unlock that. Keep in mind that provisioning may require a short change window.
Hi HerrDrachen , I see nobody in the community has replied yet, so I'm asking if one of my colleagues can help out.
Also, I like your username. 🙂
HerrDrachenThanks for checking this out for me. I cannot seem to find this easily and with r4600 series and the F5OS are pretty new, so not a lot of people seem to have intensive knowledge about it.
- buulam
Admin
Hey HerrDrachen can you clarify if you're referring to an APM access scenario or device management access?
- HerrDrachen
This is in relation to device management access. We are made up of 6 organizations using 6 different AD domains but all in the same forest. I created partitions in the tenant for each of them and I would like them to be managers of their own partitions. The domain listed in the device for LDAP purposes is xyz.com, so users in 123.com, abc.com, etc are not showing up even though we have a two-way trust between xyz.com and all of the others. In some of the other tools we use, AD either understands the trust and they just login with the normal domain credentials or we have to add each AD domain in individually.
- buulam
Ok thanks for that detail. If you go into Authentication and configure User Directory, you should see Remote APM-Based as an option there. From there, you should be able to select Active Directory and it's similar to setting up an APM policy and you should have an option to enable Cross-domain support from there. Let me know if you see those options?
