Forum Discussion

ottleydamian's avatar
Sep 27, 2019

APM multi domain authentication failure

In our environment we have 3 regions na, ap and emea. I'm using the iApp for Exchange 2010 and only my na users can authenticate. When I use the top level domain no one can authenticate. When I use a specific region I can only authenticate in the na region. We don't use anonymous binding and the admin service account is in na. The AD team says that I should be able to authenticate users with the na admin account anywhere and not have one for each region. All other apps we have in our environment don't require an account in each region.

 

When I use adtest command to verify I notice that the command appends the regional domain to the query and so it fails. I'm guessing that is what th F5 is doing also. Is there a way to force the F5 not to append the region domain and/or force it to use na? See results below:

 

adtest -t query -h "123.na.company.com" -r "na.company.com" -A F5adminAcc -W password -u jimjones

Test done: total tests: 1, success=1, failure=0

 

adtest -t query -h "123.ap.company.com" -r "ap.company.com" -A F5adminAcc -W password -u aaronsingh

ERROR: query with '(sAMAccountName=aaronsingh)' failed: Client 'F5adminAcc@AP.COMPANY.COM' not found in Kerberos database, principal name: F5adminAcc@AP.COMPANY.COM. Please verify Active Directory and DNS configuration. (-1765328378)

Test done: total tests: 1, success=0, failure=1

 

Note: Any na user cannot auth in ap or emea and vice versa. Can the Cross Domain Support option help in this case?

 

Any assistance will be greatly appreciated!