SSO Using Kerberos Contrained Delegation for Multiple Domains
We are utilizing a SSO Kerberos Configuration to access a few of our applications in our domain (Domain1). Domain1 is a child domain and is configured as the Kerberos Realm in the SSO Kerberos configuration. The account name used in the configuration is also a member of Domain1. This is working for Domain1 clients with no issues. We want to give a different child domain (Domain2) access to these applications. Domain2 is in the same forest as Domain1 and has two way trust. The F5 can reach both domains and resolve in DNS. Clients from Domain2 are not able to get a Kerberos ticket. The following errors show in the APM log. Kerberos: Failed to get ticket for user test@Domain2.com and failure occurred when processing the work item
Is it even possible to have clients from another child domain get a ticket using an F5 in another domain? Also, is there any way to get more detailed logs on why Domain2 cannot get Keberos ticket. I have the log level set to debug set for Access Policy and SSO.