cross domain support
1 TopicAPM Active Directory Trusted Domains - how to use?
Hi, I checked all docs and community but can't figure out how this feature works. Let's assume we have two AD AAA servers defined: DomainA - no trust with DomainB DomainB - no trust with DomainA Then there is Active Directory Trusted Domains object created containing both AD AAA servers, with DomainA set as root - named TrustedAB. In Access Policy AD Auth object is configured like that: Server: None Trusted Domains: TrustedAB Cross Domain Support: Enabled In Logon Page object Split domain from full Username is set to Yes. I expected that based on value in session.logon.last.domain AD Auth will be smart enough to choose correct AD AAA srv from included in Trusted Domains. But it's not the case. AD Auth is sending KRBR request to AD AAA Srv defined as Root in selected Trusted Domains object. Realm in request is set to DomainA When targeted server replies with wrong realm error process is finished and authentication fails. When there is two way forest trust between DomainA and DomainB then target AD srv replies with Kerberos referral placing DomainB in crealm parameter. Then AD Auth performs new KRBR request to Domain B AD AAA Srv and authentication works. So how exactly Active Directory Trusted Domains works and when it makes sense to use it? For sure not when all Domains have two way (or even one way) tust configured - in this case setting one AD AAA Srv end enabling Cross Domain Support is enough. Piotr619Views0likes2Comments