On to, 13 elo 2020, Hannes Eberhardt via FreeIPA-users wrote:
Thanks for your fast reply.
I did'nt know that I must not use the root domain under the domain
realms. Thanks for the hint and the reference. We configured the trust
again, now with all relevant subdomains and SSO is now working.
I noticed only one thing after login: It seems that the GSSAPI
Credential Delegation is still not working. I would assume to have a
valid ticket from the example.int domain after login. As for now I have
to manually do a kinit and it prompts me for the AD user password.
After that I have a valid ticket.
Is this problem still related to some suffix routing problem or is this
a new separat issue?
It is a separate issue and is under control of AD DCs. Microsoft changed
defaults to disable delegation over forest trust in July 2019.
See thread
https://lists.fedorahosted.org/archives/list/[email protected]/thread/5SJUAH752PW2D3OYEWMQLHDUDP2L4CW2/#RJ4KS4E4NSXFYVGK53JVCTCGLOPI24XW
for more details.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
