APM AD auth and multi-domain forest
Hi All, Let me preface this by saying that I am a Linux guy who pokes at Active Directory once in a blue moon. I've been trying to work through this problem but so far have not had any great results. I have a client whose AD environment has multiple domains that belong to the same forest. Each domain has its own set of AD servers, and the client wants users from any domain to be able to authenticate to APM protected services. Unfortunately, if I use tools such as ldapsearch to query for users from a particular domain against a server for "my" domain (the one the F5 has credentials in), I get a referral. The F5 seems unable to chase the referral. A potential complication is that this system is also running route domains and the customer's environment is not in RD 0. For single domain clients this works just fine, so I do not know if this is a factor. What is the best way to teach the F5 about multiple AD domains/realms? This is a sample error: AD module: Domain Controller is not specified for domain 'FOO.BAR.COM', KDCs will be discovered using DNS AD agent: Auth (logon attempt:0): authenticate with 'svc_f5' failed Session variable 'session.ad.last.errmsg' set to 'Realm not local to KDC, principal name: svc_f5@FOO.BAR.COM@BAR.COM. Realm not found. Please verify Domain Name configured.' Some detail about the setup: Split domain from username is enabled in the Logon Page object. Cross domain authentication is enabled in the AD Auth object. Example domains: bar.com foo.bar.com My F5's admin account is "svc_f5.foo.bar.com". This account seems to have rights to query any of the domain controllers that I have tried to use. Server A knows about "bar.com". Server B knows about "foo.bar.com". Either server seems unwilling to answer queries for the other domain. Since I can only select one domain in an AD AAA resource, my thinking now is to do a match in the VPE based on the domain provided by the client and then present the appropriate AD Auth config, but this adds much complexity. Any advice is greatly appreciated!! Thanks, Josh
F5 APM || Multi domain support
Hi, I'm new to APM. We are doing a POC in our lab using F5 APM v11.6 to integrate with 2010 CAS for Outlook web app service. Our AD infra have 3 domains in the same forest with bi-direction implicit trust. Now the requirement is to get the user authentication by using his AD login id & pwd without using the domain name as the third option. Without selecting the domain name in the login page, we have to set the APM to query all the 3 domains and authenticate if the account is found in any one of the 3 domains. pls let me know how this can be achieved? will querying all the 3 domains will be an ineffective way (will that coz delay in authentication), also would like to know if we have a better option to get this enabled. Summary: Objective: user will key in only his domain id and pwd, without specifying the relevant domain name. APM should be able to identify the users domain (within the 3 domains available) and then authenticate to that domain using the key provided by the user in the login page. Exmaple: "usera" - in "domain a" "userb" - in "domain b" "userc" - in "domain c" domain a, b and c are in the same forest and have implicit trust. users login in only with their username/pwd, so APM should find that "usera" is part of "domain a" and then authenticate him. I hope the part 3 series of the below URL should have that info, but I'm no able to find that in my search. https://devcentral.f5.com/articles/apm-cookbook-multiple-domain-authentication-part-1