I need assistance.
I want to enable multi domain authentication in my environment.
I'm told that CA Identity Governance has that in place.
CA Support has provide me the below infomation, but it's very unclear.
"We do support multidomain authentication, but a single server, so a trust relationship between the domains needs to be configured.
Each user has to have an attribute for his full login name, i.e. Domain\login (e.g. ZElUPIO\sansh09). Different users can have multiple domains on that attribute.
We have three domains in our environment and they already have a trusted relationship between them.
But i'm still able to authenticate
-Is there a specific relationship that is required between the domains? (We currently have Bi-directional relationship)
-We can only point at one LDAP server(as CA support has advised), does it have to be the primary DC? (We are currently pointing to a secondary DC)
-Does anyone have a step by step guide on how to do this? If you can provide screenshots of what the config file should look like, please do.
#caidentitysuite14.2 #caidentityportal #identity_manager #identitygovernance
To answer your questions here
I think Bi-directional relationship is good.
No need to be primary DC. As long as Second DC can authenticate your domains.
You can try the following. Under those properties
In each of those properties you have to add the domain name at the end of the property. For example, you set a system property of security.ldap.server.Domain1 with a value of “someserver.domain1.com”.
If you have trust relationship, you can point security.ldap.server to your secondary DC host for all the domains. In your case, if you have 3 domains. You will need to have 3 set of properties above.
Thank you for your response.
I have tried your above solution and i didnt work.
Please see attached the screenshoots of how i added the additional properties.
I notice there is a set of properties did not contain domain name. You should also add a domainname on them as well.
Could you please provide me an example of this configuration?
Screenshots if you can.
" Each user has to have an attribute for his full login name, i.e. Domain\login (e.g. ZElUPIO\sansh09). Different users can have multiple domains on that attribute." this was a comment from CA support
2. Screenshots of the properties
Maybe i'm missing something from your previos instructions.
Please make sure the below properties are added for your second domain (say “MyDomain”).
security.default.authentication.domain=MyDomain security.ldap.server.MyDomain=<ADServer2> security.manager.dn.MyDomain=<AD-DN> security.manager.password.MyDomain=<DN Password>
To add these properties, go to :
Administration > settings > Property settings and click on “Add New” button at the bottom of the screen.
Please make sure the below properties are added for your second domain (say "MyDomain").
Administration > settings > Property settings and click on "Add New" button at the bottom of the screen.