CA Service Management

 Different domain authentication

posted 03-25-2021 07:24 AM
Hello everybody,

I have a requirement and I don't know if it is possible to achieve.

Our customer is changing their CA SDM 12.9 from one domain (Domain A) to another (Domain B). Right now, they have both SDM and users (who uses an Access type with domain authentication) in the same domain. But, afeter moving SDM, they want to have the users in a different domain (Domain C) and they want them to be able to authenticate in SDM. This is:

  • Current scenario:
    • SDM: Domain A.
    • Users: Domain A.
  • Future scenario:
    • SDM: Domain B.
    • Users: Domain C.

They don't have EEM. I have been searching for solutions and found nothing about this. Is it possible to achieve this?

Thank you in advance and regards.
Broadcom Employee
Hi Casar,

I think your best option for multiple domain authentication is to install EEM and use that to point to the multiple domains. Is there any business reason why you cannot install and use EEM for this?
Hello Brian,

I know that would be the best choice, but we don't have enough time for this. I was wondering if I can achieve this goal through some kind of configuration in SDM (external authentication or something). I checked the documentation, there is some information about external authentication but nothing that really helps.

Thank you and regards.
I assume you are talking about Active Directory. Is there not a trust relationship between domains?
Hello Lindsay,

I would say yes, but I am not totally sure. Would this make any difference?

Thank you and regards.
If Service Desk is using OS Authentication (assuming a Windows server), when you try to log in to Service Desk, this is the authentication path that is followed:

  1. If the login ID is a local account (on the server) then the password is verified against the one on that local account (it is very rare that you would be using a local account).
  2. Then Windows checks to see if the login ID is in the Active Directory Domain to which the Service Desk server is associated. If so, then credentials are verified there.
  3. Then Windows checks trusted AD Domains to see if the login ID can be found there.

Note that the authentication path stops when a matching login ID is found. If the same login ID is in more than one domain then the authentication tries to use the first one it finds.