ActiveSync Client SSL Cert Authentication with multiple domains


We have multiple domains that use the following structure:

  •               UPN                             LOGON parent\username
  •     UPN                             LOGON child1\username
  •     UPN                             LOGON child2\username
  •     UPN     LOGON child3\username

Just to complicate matters the UPN suffix and the logon domain are not the same (it's a historic thing.....)

I am trying to configure the Kemp to publish ActiveSync using Client SSL certificate authentication. We already have this working using a TMG but we need to move to a Kemp based solution.

The TMG solution didn't need to know about the various child domains and was relatively easy to configure. The TMG handles the Client SSL Cert and talks to AD using Kerberos to authenticate the user.

I am struggling to determine how I can replicate this using the Kemp? I have tried following the Kemp Kerberos Constrained Delegation guide but I'm not sure if I need to configure each child domain as a separate SSO domain ?

Any ideas ?



1 comment

Mark Deegan

Hi Phil,

As we use MIT kerberos we can only verify identity in one domain level unlike microsoft kerberos. We would need to have a domain specified for each domain level you need authentication on I am afraid.