Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Kerberos Transparent Auth with multiple domains and server 2012

For a number of years we have been happily using Kerberos Transparent Auth SSO. We have multiple domains around the world.

This continues to work fine for existing gateways. We use the identity agent and with browser based sso as a backup.

So each domain would have the SPN for the gateway and the ckp_pdp registered. Has worked fine - for years.

The problem we have regards new gateways that we want to have registered in AD. Previously in a server 2008 AD environment you could have duplicate SPN's in a forest - ie so each domain can have the new firewall registered.

On server 2012 AD controllers the use of SPN -a has been depreciated and the SPN has to be unique in the forest. This means that we cannot register the new gateway in each domain.

Has anyone else encountered this - we want to stick with the identity agent, and no identity collectors or AD query.

How did you address this situation. It has only recently been an issue as we have a couple of new gateways and the last of the old 2008 AD controllers have now gone.

Thanks

 

 

 

0 Kudos
3 Replies
Highlighted
Admin
Admin

Is the fact the same SPN is used with both domains the issue?
Tagging @Royi_Priov.

0 Kudos
Highlighted

Yes when you add the SPN -a it used to bypass the check on duplicate entries in the forest. In Server 2012 this has been changed it checks for duplicates anyway.

This same SPN needs to be added in each domain for SSO to work. 

So yes the issue is that the same SPN's are used in each domain.

Works ok now - as the SPN's are already there.

However when we get a new firewall with a new name in a different location - we will have a problem for Kerberos SSO as it stands.

 

 

 

 

0 Kudos
Highlighted

Any update on this?

0 Kudos