...
In addition to the trust relationships, there 's are also some requirements to for your network infrastructure.
To understand this better, let us consider an example:
Cross-domain authentication example:
First, the facts:
Windows user | janedoe@EXAMPLE.LOCAL |
JIRA running at | jira.company.com |
JIRA's Service Principal Name | HTTP/jira.company.com |
JIRA's service account | svc-jira-sso@HQ.COM |
Domain trust | EXAMPLE.LOCAL <=> HQ.COM |
...
The service principal name HTTP/jira.company.com is mapped to the service account svc-jira-sso@HQ.COM. EXAMPLE.LOCAL and HQ.COM are domains in the same forest, having a domain trust relationship with each other.
When Jane attempts to access JIRA, the following happens:
...
For this to work, all users in EXAMPLE.LOCAL must have network access to request tickets from HQ.COM domains domain controllers. If a firewall prevent prevents this, Kerberos authentication will fail.
...
If domains A and B are totally independent (no trust relationship exists, different companies, etc.), then you need to issue keytab files in each domain and then upload each file to Kantega SSO.
See Merge keytabs for details on how to set up this.