Forum Discussion
Just my 2c, might not be relevant to your situation.
I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.
Kevin,
There won't be any trust between these domains. I call this a "tenant" domain from a network perspective. It exists completely separate from our primary infrastructure for security directives a long time ago.
-
APM SSO account and the target service are in the same domain
-
DNS resolution... I configured host entries for this domain (6 servers) on the LTM/APM but it would be better to be able to define DNS "domains" in TMOS for things like this. I have this cluster leveraging a GTM DNS Delivery listener and I use an irule to select the DNS pool based on DNS Question name... so requests with names containing "*tenant.domain" go to the two tenant DCs. I need to revalidate this. This domain/Realm has also been defined in krb5.conf.
The APM SSO account is specific to this domain, but does not contain the full domain name. Is this a requirement or are you suggesting simply for best practice? This will be my only application that is off of my primary domain.
I opened a TAC case on this... but so far nothing has been identified as erroneous in the config.