Forum Discussion

GerarCR_176810's avatar
GerarCR_176810
Icon for Nimbostratus rankNimbostratus
Feb 20, 2018

AD query for a user from a trusted domain (forest trust)

Hi!

 

Been trying to solve this for a while, but can´t find how to do this... I have seen similar questions on the forum without response, maybe this time is the one!

 

I have two domains, domain A and domain B. Domain A is configured to trust Domain B. Also, users from domain B belongs to some AD groups on domain A.

 

I have setup an access policy, where users from domain A authenticate against domain A, and users from domain B authenticates agains domain B (two different AAA servers). This is working fine.

 

My question is: How can I check the group membership of domain A groups for a user from domain B?

 

I need to make a query to domain A asking the "memberOf" attr for a trusted user which is originally from domain B. If I try to do this, que AD Query does not found the user, as the CN, sAMAccountName, SID, and GUID for the domaing B user are not the same in domain A.

 

Any ideas on how to achieve this?

 

Regards,

 

Gerar

 

active directory
ad query
APM
forest trust
security

2 Replies

Sort By
  • Nicolas_Destor's avatar
    Nicolas_Destor
    Icon for Cirrostratus rankCirrostratus
    Sep 19, 2018

    By default the AD query item is configured with the default filter search "sAMAccountName=%{session.logon.last.username}".

     

    If the username variable used to authenticate on domainB directory can't be use for the AD query in the domainA directory (because the username is set with value "domainB/username" for example), then the solution is:

     

    1. Create a Variable Assign item before the AD query to set a new variable (eg session.custom.username) with some TCL code to parse the origin username.

       

    2. Update the search filter in the AD query item to use this new variable ("sAMAccountName=%{session.custom.username} for example".

       

    Hope that help.