Forum Discussion
action_-_322447
Nimbostratus
Just my 2c, might not be relevant to your situation.
I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.
Kevin_Stewart
Oct 12, 2018Employee
By tenant domain, do you a separate trusted domain for user accounts?
If so, there are a few things you need to do:
- You must ensure that the domains have a full two-way transitive trust (it wouldn't work at all if this wasn't the case)
- The APM SSO account and the target service (assuming IIS) must be in the SAME domain.
- APM must be able to DNS resolve (SRV records) the trusted domain and must have direct connectivity to it.
- To avoid ambiguity, the APM SSO account should use a full SPN that identifies what domain it's in (ex. host/f5kdc.example.com). This same string is needed in three places: the APM SSO username, the AD delegation account's userPrincipalName and servicePrincipalName.