I have 2 domains in Active Directory: domain A and domain B. There is a bidirectional trust set up between those domains. Domain A has a user A, domain B has a user B. Additionally domain A has a domain local security group called group A. User B is a member of group A.
What I want to achieve is to authenticate both users in domain A. So far I had no problems with authenticating user A in domain A and user B in domain B. Now I need to authenticate user B in domain A.
Is this doable in Java/Spring tech stack? My first try was with ActiveDirectoryLdapAuthenticationProvider from Spring Security, but then I checked that it uses simple ldap bind request, so I guess this is not doable with this provider.
Next I tried to use Kerberos (Spring Security Kerberos module), but again: I can authenticate user A in domain A and user B in domain B. No success when trying to authenticate user B in domain A. When I read some topics regarding cross-realm authentication in Kerberos, I can see solutions with two realms (each has its own KDC specified). This will work in a way that user B will be authenticated in domain B, which I want to avoid.
My krb5.conf:
[libdefaults]
default_realm = DOMAIN-A.COM
default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DOMAIN-A.COM = {
kdc = domain-a.com
admin_server = domain-a.com
}
[domain_realm]
.domain-a.com = DOMAIN-A.COM
domain-a.com = DOMAIN-A.COM
Is there any way I can configure Kerberos (or maybe Configure Active Directory or KDC) to make it happen?
Or some completely another approach to this problem? Like something else than Kerberos?
