Symantec Access Management

 View Only
Expand all | Collapse all

Windows Authentication (IWA/NTLM) on multi-domain using two-way AD trust

Jump to Best Answer
  • 1.  Windows Authentication (IWA/NTLM) on multi-domain using two-way AD trust

    Posted Nov 20, 2017 11:16 AM

    Scenario (see attached image): we have 4 AD Domains (,,, that are part of the forest COMPANY.COM. The four domains A, B, C and D are configured with a a two-way trust with another domain, called EXTRA.COM located on a different data-center. Finally the EXTRA.COM is configured with a two-way trust with the main forest domain COMPANY.COM.



    Requirement: have Windows Authentication using NTLM for all the users of A, B, C and D domains.


    Idea: configure IIS Web Server + Web Agent that manages the Windows Authentication scheme against the only one COMPANY.COM forest domain


    Question: with this configuration NTLM Windows Authentication works for all the users of all the child domains A, B, C and D?



    Thanks and regards,


  • 2.  Re: Windows Authentication (IWA/NTLM) on multi-domain using two-way AD trust
    Best Answer

    Posted Nov 21, 2017 09:02 AM

    Hi Gabriele,


    As far as the NTLM authentication works on the AD side, it should work when authenticating through CA SSO. I do not see any reason why NTLM authentication could not work in your main domain, as all the domains have a transitive 2-way trust between them. When the authentication request comes to, the DC will talk with the DC, and this one will do the same with the subdomain DC (like, following the current trust relationship design you deployed.


    You can check the following documents for more details regarding 2-way transitive trusts for NTLM:


    As suggested in the last one, you could check with your MS admins if adding trust shortcuts could be possible, so when you do the authentication request in, it could use the shortcut to the subdomain directly without having to go first to the DC.


    I hope it helps!