Active Directory Network Topologies
The network topologies of Active Directory to federate with this service through Integrated Windows Authentication are as follows.
- Single forest, single domain
- Single forest, multiple domains
- Multiple forests, multiple domains*1
*1 SPNEGO authentication may be unavailable under some conditions.
Single forest, single domain
Example of a single forest and single domain
Requirements on Active Directory
None
Example of registration in IIJ ID Service
Register Active Directory information with reference to the following example.Refer to “Registering Active Directory for Synchronization with On-premise Active Directory Servers” for more information on how to register Active Directory.
| Option | Example Value | |
|---|---|---|
| Basic Settings | Display name | (Arbitrary) |
| AD domain | example.com | |
| Domain controller IP addresses | 192.0.2.1 | |
Single forest, multiple domains
Example of a single forest and multiple domains
Requirements on Active Directory
None
Example of registration in IIJ ID Service
Register Active Directory information with reference to the following example.Refer to “Registering Active Directory for Synchronization with On-premise Active Directory Servers” for more information on how to register Active Directory.
| Option | Example Value | Comments | |
|---|---|---|---|
| Basic Settings | Display name | (Arbitrary) | |
| AD domain | example.com | The AD domain registered in basic settings is the default domain. The domain registered in basic settings can be omitted when any of the domain user names is entered for form authentication. | |
| Domain controller IP addresses | 192.0.2.1 | ||
| Multi-forest/Multi-domain Settings | AD domain | example2.com | |
| Domain controller IP addresses | 192.0.2.2 | ||
Multiple forests, multiple domains
[ Reference ]
If a user’s device is a member of a domain in a forest that is not registered as a default Active Directory, only form authentication is available.In that condition, SPNEGO authentication is unavailable.
Example of multiple forests and multiple domains in a two-way trust relationship
Example of multiple forests and multiple domains in a one-way trust relationship
Requirements on Active Directory
To form a federation with an Active Directory with multiple forests, that Active Directory must meet the following conditions:
- There is a one-way or two-way trust relationship between the forests.
- A one-way trust relationship must be formed from the Active Directory registered as default to other forests.
- Name suffix routing must be enabled.
Example of registration in IIJ ID Service
Register Active Directory information with reference to the following example.Refer to “Registering Active Directory for Synchronization with On-premise Active Directory Servers” for more information on how to register Active Directory.
Only form authentication is available for Windows PCs belonging to a domain in a forest that is not the forest that contains the domain registered in basic settings (e.g., example3.com in the diagram).
| Option | Example Value | Comments | |
|---|---|---|---|
| Basic Settings | Display name | (Arbitrary) | |
| AD domain | example.com | The AD domain registered in basic settings is the default domain. | |
| Domain controller IP addresses | 192.0.2.1 | ||
| Multi-forest/Multi-domain Settings | AD domain | example2.com | |
| Domain controller IP addresses | 192.0.2.2 | ||
| AD domain | example3.com | ||
| Domain controller IP addresses | 192.0.2.3 |