Active Directory Network Topologies

The network topologies of Active Directory to federate with this service through Integrated Windows Authentication are as follows.

  • Single forest, single domain
  • Single forest, multiple domains
  • Multiple forests, multiple domains*1
    *1 SPNEGO authentication may be unavailable under some conditions.
Single forest, single domain

Example of a single forest and single domain

Requirements on Active Directory

None

Example of registration in IIJ ID Service

Register Active Directory information with reference to the following example.Refer to “Registering Active Directory for Synchronization with On-premise Active Directory Servers” for more information on how to register Active Directory.

OptionExample Value
Basic SettingsDisplay name(Arbitrary)
AD domainexample.com
Domain controller IP addresses192.0.2.1
Single forest, multiple domains

Example of a single forest and multiple domains

Requirements on Active Directory

None

Example of registration in IIJ ID Service

Register Active Directory information with reference to the following example.Refer to “Registering Active Directory for Synchronization with On-premise Active Directory Servers” for more information on how to register Active Directory.

OptionExample ValueComments
Basic SettingsDisplay name(Arbitrary)
AD domainexample.com

The AD domain registered in basic settings is the default domain.

The domain registered in basic settings can be omitted when any of the domain user names is entered for form authentication.

Domain controller IP addresses192.0.2.1
Multi-forest/Multi-domain SettingsAD domainexample2.com
Domain controller IP addresses192.0.2.2

Multiple forests, multiple domains

[ Reference ]

If a user’s device is a member of a domain in a forest that is not registered as a default Active Directory, only form authentication is available.In that condition, SPNEGO authentication is unavailable.

Example of multiple forests and multiple domains in a two-way trust relationship

Example of multiple forests and multiple domains in a one-way trust relationship

Requirements on Active Directory

To form a federation with an Active Directory with multiple forests, that Active Directory must meet the following conditions:

  • There is a one-way or two-way trust relationship between the forests.
    • A one-way trust relationship must be formed from the Active Directory registered as default to other forests.
  • Name suffix routing must be enabled.


Example of registration in IIJ ID Service

Register Active Directory information with reference to the following example.Refer to “Registering Active Directory for Synchronization with On-premise Active Directory Servers” for more information on how to register Active Directory.
Only form authentication is available for Windows PCs belonging to a domain in a forest that is not the forest that contains the domain registered in basic settings (e.g., example3.com in the diagram).

Option
Example ValueComments
Basic Settings

Display name(Arbitrary)
AD domainexample.com

The AD domain registered in basic settings is the default domain.
The domain registered in basic settings can be omitted when any of the domain user names is entered for form authentication.

Domain controller IP addresses192.0.2.1
Multi-forest/Multi-domain Settings


AD domainexample2.com
Domain controller IP addresses192.0.2.2
AD domainexample3.com
Domain controller IP addresses192.0.2.3