Specifying a Domain for Pass-Through Authentication
In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the connector server searches all known domains and tries to authenticate the user in the domain that contains the user.
In a trusted multi-domain environment, there can be two possible situations:
-
All domains contain a synchronized user/password combination
-
The user/password combination is domain dependent.
When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Business Administrator's Guide for more information about setting up common resources.
In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.
Login failures will occur in domains if the user exists in the domain and the password is not synchronized.
It is not possible to use multiple data sources for the domain information in one Login Module Group.
- © 2010, Oracle Corporation and/or its affiliates