Steve_Lyons
Jul 31, 2018Ret. Employee
Cross Domain / Cross Forest Kerberos SSO
Does anyone have a how to or gotcha's when deploying cross domain or cross forest Kerberos SSO? I am currently working on a how to but curious if anyone has anything already and would like to share their own lessons learned. Thanks!
Below are the known requirements as stated by Kevin Stewart.
Cross-domain/cross-forest Kerberos SSO requires that:
- Both domains/forests must have a full two-way transitive trust for Constrained Delegation to work.
- The APM Kerberos SSO AD service account MUST be in the same domain as the web server. Users can be anywhere.
- The F5 must be able to resolve and communicate with both domains/forest KDCs. For multi-domain, it's usually easiest to point DNS at the global catalog server.