Cross-domain authentication using SPNEGO
Consider this scenario.
There are 2 domains (forests), Domain A and Domain B.
SAP users are located in Domain A, while AS-JAVA server is located in Domain B.
There is a One Way Forest Trust (OWFT) between Domain A and Domain B, in which Domain A is the trusted domain, while Domain B is the trusting domain.
AS-JAVA is using Active Directory (Domain B) as the UME data source.
We run ‘setspn’ in Domain B for the AS-JAVA resource.
We create the Kerberos Realm in AS-JAVA for Domain B.
Would this SSO configuration work?
On this scenario, what would be the KPN (principal@REALM) of the user? Is it principal@DomainA or principal@DomainB?
Another side question I have:
when configuring SPNEGO authentication, is there a step where we need to connect from AS-JAVA to the LDAP (AD) server?
Can this connection be secured using LDAPS on port 636/tcp?
Thanks in advance.