Forum Discussion
Kevin_Stewart
Apr 21, 2014Employee
A few key points of observation:
-
You don't need SSO Credential Mapping with Kerberos SSO.
-
Cross-domain/cross-forest Kerberos SSO requires that:
- Both domains/forests must have a full two-way transitive trust for Constrained Delegation to work.
- The APM Kerberos SSO AD service account MUST be in the same domain as the web server. Users can be anywhere.
- The F5 must be able to resolve and communicate with both domains/forest KDCs. For multi-domain, it's usually easiest to point DNS at the global catalog server.