CA Service Management

  • Private Community
 View Only

 Different domain authentication

Jump to Best Answer
Cesar Contreras's profile image
Cesar Contreras posted Mar 25, 2021 07:24 AM
Hello everybody,

I have a requirement and I don't know if it is possible to achieve.

Our customer is changing their CA SDM 12.9 from one domain (Domain A) to another (Domain B). Right now, they have both SDM and users (who uses an Access type with domain authentication) in the same domain. But, afeter moving SDM, they want to have the users in a different domain (Domain C) and they want them to be able to authenticate in SDM. This is:

  • Current scenario:
    • SDM: Domain A.
    • Users: Domain A.
  • Future scenario:
    • SDM: Domain B.
    • Users: Domain C.

They don't have EEM. I have been searching for solutions and found nothing about this. Is it possible to achieve this?

Thank you in advance and regards.
Lindsay Estabrooks's profile image
Lindsay Estabrooks posted Mar 30, 2021 01:52 PM Best Answer
If Service Desk is using OS Authentication (assuming a Windows server), when you try to log in to Service Desk, this is the authentication path that is followed:

  1. If the login ID is a local account (on the server) then the password is verified against the one on that local account (it is very rare that you would be using a local account).
  2. Then Windows checks to see if the login ID is in the Active Directory Domain to which the Service Desk server is associated. If so, then credentials are verified there.
  3. Then Windows checks trusted AD Domains to see if the login ID can be found there.

Note that the authentication path stops when a matching login ID is found. If the same login ID is in more than one domain then the authentication tries to use the first one it finds.
Brian Mathato's profile image
Broadcom Employee Brian Mathato posted Mar 25, 2021 10:17 AM
Hi Casar,

I think your best option for multiple domain authentication is to install EEM and use that to point to the multiple domains. Is there any business reason why you cannot install and use EEM for this?
Cesar Contreras's profile image
Cesar Contreras posted Mar 26, 2021 07:06 AM
Hello Brian,

I know that would be the best choice, but we don't have enough time for this. I was wondering if I can achieve this goal through some kind of configuration in SDM (external authentication or something). I checked the documentation, there is some information about external authentication but nothing that really helps.

Thank you and regards.
Lindsay Estabrooks's profile image
Lindsay Estabrooks posted Mar 26, 2021 01:48 PM
I assume you are talking about Active Directory. Is there not a trust relationship between domains?
Cesar Contreras's profile image
Cesar Contreras posted Mar 30, 2021 12:28 PM
Hello Lindsay,

I would say yes, but I am not totally sure. Would this make any difference?

Thank you and regards.
Cesar Contreras's profile image
Cesar Contreras posted Apr 19, 2021 03:43 AM
Hello Lindsay.

Sorry for being late in my response. We have been having some DDBB issues.

At the end, because of this BBDD, we moved to another server that is in the same domain than the users, so I couldn't try with a trusted domain. Anyway, thank you very much for you answer, is good to know how the authentication works :)

Have a nice day!