Multi Domain Forests with AD Trust Configuration

PAM supports the ability to integrate with multiple domains, taking advantage of AD trusts, in order to provide login and authentication services for the application.

This means a single AD integration point will allow multi-domain logins using existing trusts within Active Directory.

Default PAM deployments are configured for both administration and user ease of use.

For this purpose, it starts with using single domain configuration using sAMAccountName logins (user).

 

However, larger or more complex AD structures exist including multi-domain forests with AD trusts.

In order to support these configuration, PAM can be configured to support these domains using UserPrincipalNames (user@company.com).

If you have not integrated with AD yet, please first review our AD Integration article first.

Integration for UPN Accounts

To configure integration for UPN Accounts:

  1. Login to your PAM host server. We will need to modify two files, so make sure you have permissions on this host server to update files.
  2. First, open the file $PAM_HOME/web/conf/catalina.properties in a text editor.
  3. Within the catalina.properties file, search for and replace the 2 references and their values to sAMAccountName with UserPrincipalName

    4. Before:

    Copy
    ldap.authn.searchFilter=sAMAccountName={user}
    cas.authn.ldap[1].userFilter=(sAMAccountName={user})

    After:

    Copy
    ldap.authn.searchFilter=UserPrincipalName={0}
    cas.authn.ldap[1].userFilter=(UserPrincipalName={user})

  4. Also within this catalina.properties file, search for and update this parameter cas.authn.ldap[1].dnFormat as illustrated below:

    Before:

    Copy
    cas.authn.ldap[1].dnFormat=%s@yourDomain.com

    After:

    Copy
    cas.authn.ldap[1].dnFormat=%s

  5. After both are replaced, save and close the file.

  6. Finally, restart the PamManagement (Windows) or pammanger (Linux) service.

If you have already granted Permissions in PAM using sAMAccountName, those logins will no longer work after these changes have been made. Permissions will need to be setup again using the UPN (user@company.com) rather than the previously used sAMAccountName (user).

In multi-domain cases we recommend to architect PAM deployment to use UserPrincipalName (UPN) as a primary user ID. This way, one user can login as user@domainA.com, the other user as user@domainB.com and local user as user. Duo should be configured accordingly keeping in mind that user@domainA.com, user@domainB.com and / or user from local directory in common case might be three completely different users.