In our current configuration, we have 1 Primary instance and 1 replica in one AD Domain. We have 5 other Untrusted domains (Untrusted to any other domain). Our AM 8.3 configuration uses an Internal database for our users. Our Network Services group wants to use the same Primary/replica pair to authenticate the users over all 6 domains. Each user should has credentials in all of the domains with the same username but should have different passwords. Is this a configuration that can work? Does each set of credentials need to be added to the database? Does each user ID set need its own token or can one token be used for all since the ID's are identical with the exception of the domain? Communication to the other domains requires that the path go through a Firewall.
Can someone let me know if this is something that can be done and if so is their any documentation for it?
Regards,
Michael McDonald
National Futures Association
(312) 781-1595
You only need one userid with a token. RSA server sees 'userid' come in from anywhere, it finds one 'userid' in the db, so matches the tokencode and auth success. If the userid comes to the RSA server with domain info attached (so it would appear to be unique userid, one for each domain) the system can be configured to do domain name stripping, so user1@domain1, user1@domain2, user2@domain3, would really be three unique incoming userids, but if stripping off the domain part, it's all seen as user1.
Now the different password part...if you are using windows password integration, we can only cache one captured windows password per userid. So, if you expect windows password integration to work across all domains, the user will be entering their windows password each time they hop to a new domain, but not if they stay on the same domain. If all passwords are the same, windows password integration would be more seamless.