NimbostratusWe are using APM for Edge Client Access and SharePoint and other resources. We are considering changing the UPN in Active Directory, we are using multiple domains in our authentication scheme. Is this doable, what kind of issues am I looking at, could there be any work a rounds.
EmployeeHow is the multi-domain configuration setup today?
NimbostratusWe are one forest with 2 authentication domains and one resource domain. Is that what you are looking for?
EmployeeKind of. Do you present the user with a drop down on the login page so they can select their domain or do you use Kerberos referrals in AD?
EmployeeDo your domains have a domain trust? I will assume yes, because if you didn't the UserDomain could not access the ResourceDomain.
So, If your domains are trusted, and authoritative for unique domain suffixes, then you can just make sure that DNS is properly configured in all domains, and allow LDAP forwarding to do its job.
Are you using Kerberos? You can enable DNS lookups for REALMS in the krb5.conf file on the BIG-IP to help. You can also hard code the KDC for the REALMS you know you need to support. You can also use an irule to determine which REALM users are in and modify as needed. This will make sure that when the request comes in to the KDC, it knows which KDC to send the request to for that specific REALM.
For example:
switch [ACCESS::policy agent_id] {
"DOMAIN1" {
ACCESS::session data set session.logon.last.domain "F5LAB.LOCAL"
}
"DOMAIN2" {
ACCESS::session data set session.logon.last.domain "MSDOMAIN.LOCAL"
}
}We are using NTLM Domains corp.domainad.com and ncu.domainad.com and the users login using corp\ or ncu\ corp is setup as the default authentication domain. the new UPN being introduced to facilitate Office 365 is domain.com So far our testing with just one or two users seems to be working OK. I am worried about SSO.