Authenticating To A Large Forest

When authenticating to a large forest spanning tens/hundreds of domains, there could be some issues with authenticating users. Some LDAP queries may take too long for the LoadMaster, or there could be a referral sent back to the LoadMaster that must be chased which can cause complexity as well. To get around this issue, there is the option of configuring a Global Catalog (GC) query instead of a standard LDAP query for authentication. Every Global Catalog server has cached entries of every single Active Directory (AD) object in the entire forest, so querying the GC should be a sufficient method of authentication for all users in the forest.

To set this up, you must specify the port for GC queries inside of the Client Side Single Sign On (SSO) Configuration. The port you must specify is 3268. Your LDAP servers should be specified by ip:port, so it would look something like This will do a standard LDAP query but it will query the GC cache instead. LDAP requests will be answered much quicker as well. Below is an example of how this is configured on the LoadMaster:

Virtual Services > Manage SSO > Modify (on a Client Side Single Sign On Configuration)



Was this article helpful?

0 out of 0 found this helpful