Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Nov 20, 2017

APM Active Directory Trusted Domains - how to use?

Hi,

 

I checked all docs and community but can't figure out how this feature works.

 

Let's assume we have two AD AAA servers defined:

 

  • DomainA - no trust with DomainB
  • DomainB - no trust with DomainA

Then there is Active Directory Trusted Domains object created containing both AD AAA servers, with DomainA set as root - named TrustedAB.

 

In Access Policy AD Auth object is configured like that:

 

  • Server: None
  • Trusted Domains: TrustedAB
  • Cross Domain Support: Enabled

In Logon Page object Split domain from full Username is set to Yes.

 

I expected that based on value in session.logon.last.domain AD Auth will be smart enough to choose correct AD AAA srv from included in Trusted Domains.

 

But it's not the case. AD Auth is sending KRBR request to AD AAA Srv defined as Root in selected Trusted Domains object. Realm in request is set to DomainA

 

When targeted server replies with wrong realm error process is finished and authentication fails.

 

When there is two way forest trust between DomainA and DomainB then target AD srv replies with Kerberos referral placing DomainB in crealm parameter.

 

Then AD Auth performs new KRBR request to Domain B AD AAA Srv and authentication works.

 

So how exactly Active Directory Trusted Domains works and when it makes sense to use it?

 

For sure not when all Domains have two way (or even one way) tust configured - in this case setting one AD AAA Srv end enabling Cross Domain Support is enough.

 

Piotr

 

aaa srv
access policy
active directory trusted domains
ad auth
APM
cross domain support
devops

2 Replies

Sort By
  • sergio_baza_alo's avatar
    sergio_baza_alo
    Icon for Altocumulus rankAltocumulus
    Dec 05, 2017

    Hello,

     

    I'm facing a similar problem

     

    As I understand you have to set up first a trust relationship between DomainA and DomainB and then you configure the AD Trusted Domains in the APM.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html

     

    The one that is configured as root is going to be asked for a Ticket to authenticate against the other domains.

     

    https://blogs.technet.microsoft.com/mir/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1/

     

    So the root AD should be DomainA AD for A Users or DomainB for B Users.

     

    Also another option could be Split the users by domain and authenticate each one with their AD, something like this:

     

    https://f5guru.com/2014/11/17/apm-cookbook-multiple-domain-authentication-part-2/

     

    Good luck!

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Dec 05, 2017

      Hi,

       

      Well, I did test for different configurations and can't see difference between:

       

      • DomainA and DomainB with Two Way Forest Trust (could be on way as well)
      • DC from DomainA set as AD AAA server
      • Split used in Logon Page object
      • In AD Auth object:
        • Cross Domain Support: enabled
        • Server: set to AD AAA for DomainA

      Same as above but:

       

      • Trusted Domain object set with DomainA and DomainB AD AAA objects
      • DomainA AD AAA set as root
      • AD Auth using above Trusted Domain instead of Server option

      Effect is exactly the same: both users from DomainA and DomainB can authenticate.

       

      In both cases DomainA DC is sending KRBR referral when user from DomainB is trying to authenticate. Then APM is sending KRBR request to DomainB DC

       

      So what is a point in using Trusted Domain?

       

      Only I can think about is selecting which DC will be used as one responsible for sending KRBR referrals - is that only feature provided by Trusted Domains?

       

      For sure APM is not choosing DC based on domain specified on Logon Page. For Trusted Domain config I always see (in Wireshark) first KRBR request send to DC set as root. No matter from which domain authenticating user is.

       

      Am I missing something important here?

       

      Piotr