APM Question: Is Multiple-Domain NTLM authentication possible for one URL domain?
We currently have an access profile setup to have a user select their domain from a dropdown menu on the login page. We are also using SSO Across Authentication Domains on the access profile and for each Authentication domain it has you to specify an SSO configuration. We would like users from Domain1 to be able to use authentication domain "domain.sso.com" as well as have users in Domain2 to be able to use it as well. However we cannot seem to find a way to switch the SSO configurations. We were looking through the "Leveraging BIG-IP APM for seamless client NTLM Authentication" post but that guide is for domain-joined PCs and our scenario is for non-domain-joined PCs for external access. Any suggestions?
Authentication domain example
VPE example:
I'm pretty sure it's not possible to detect the domain prior to using ECA when using NTLM passthough. When ECA is utilized, it must be turned on with a specific ECA profile that's already connected to a specific already-established SCHANNEL connection.
However, I think it's possible to establish a trust relationship so that one DC can use its own SCHANNEL connection to a different domain's DC to use passthrough authentication. This MSDN blog article talks a bit about it:
Microsoft would probably be able to help in this situation if you aren't sure how to set up the trust. The important thing to understand is that APM uses NTLM passthrough authentication via SCHANNEL from the (configured in APM) NTLM Authentication Profile.
One other thing: When using NTLM Passthrough, APM does not have access to the user's password (this is a limitation of the encryption used in the NTLM protocol), so SSO types that rely on it won't function correctly.