Multi Domain Forests with AD Trust Configuration
XTAM supports the ability to integrate with multiple domains, taking advantage of AD trusts, in order to provide login and authentication services for the application.
This means a single AD integration point will allow multi-domain logins using existing trusts within Active Directory.
Default XTAM deployments are configured for both administration and user ease of use. For this purpose, it starts with using single domain configuration using sAMAccountName logins (user).
However, larger or more complex AD structures exist including multi-domain forests with AD trusts.
In order to support these configuration, XTAM can be configured to support these domains using UserPrincipalNames (email@example.com).
If you have not integrated with AD yet, please first review our AD Integration article first.
Integration for UPN Accounts
To configure integration for UPN Accounts:
- Login to your XTAM host server. We will need to modify two files, so make sure you have permissions on this host server to update files.
- First, open the file <XTAM_HOME>/web/conf/catalina.properties in a text editor.
- Within this catalina file, search for and replace the 2 references and their values to sAMAccountName with UserPrincipalName
Also within this catalina file, search for and update this parameter cas.authn.ldap.dnFormat as illustrated below:
After both are replaced, save and close the file.
Finally, restart the PamManagement (Windows) or pammanger (Linux) service.
If you have already granted Permissions in XTAM using sAMAccountName, those logins will no longer work after these changes have been made. Permissions will need to be setup again using the UPN (firstname.lastname@example.org) rather than the previously used sAMAccountName (user).