Active Directory authentication for multi domain users

Hello

Currently, all our users are in one Active Directory domain and can successfully authenticate to Teamcity using AD. The relevant sections in ldap-config.properties are as follows:

java.naming.provider.url=ldap://rootdc.domain.local:389/DC=domain,DC=local

teamcity.auth.formatDN=DOMAIN\\$login$

We will shortly be moving users to two new child domains, and need to ensure the users can still login with their existing accounts after they have moved.

How would I set up the configuration in ldap-config.properties to authenticate against different child DCs?

I've tried putting the child DC entries after the root DC entries, like so:

java.naming.provider.url=ldap://rootdc.domain.local:389/DC=domain,DC=local ldap://childdc.childdomain.domain.local:389/DC=domain,DC=local

teamcity.auth.formatDN=DOMAIN\\$login$ CHILDDOMAIN\\$login$

But I am unable to login.  The teamcity-server.log file says the following:

INFO -     jetbrains.buildServer.LDAP - Failed to login user 'username' due to authentication error. Cause: Invalid credentials ([LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
INFO -   jetbrains.buildServer.SERVER - Login for user abdul.muthana failed: Failed to login user 'username' due to authentication error: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I have removed the root domain sections from the above lines, leaving only the child domain sections, but only users in the child domain can login, not users in the root domain.

Does anybody have a solution to allow users in more than one AD domain to login?

Many thanks

Abdul

Please sign in to leave a comment.