Enable cross-domain authentication using the global catalog

If your enterprise directory environment has multiple trusted domains where user accounts or directory groups are defined in different domains, connecting to the local domain does not locate the membership of the user in groups outside the domain.

When configuring multi-domain directories in HPE OneView, use the Active Directory Global Catalog to allow HPE OneView to perform group membership look-ups across domains.

Use the following steps to enable cross-domain authentication in HPE OneView using the Global Catalog:
NOTE:

This scenario assumes there are two trusted domains, region1 and region2. If the user in region1 belongs to a group in region2, Active Directory is configured as described in this procedure to enable user authentication.

Prerequisites

Privileges: Infrastructure administrator.

Procedure
  1. From the main menu, select Settings.
  2. Either click the Edit icon in the Security panel, or select Actions > Edit.
  3. On the Edit Security screen, under Directories, click Add Directory.
  4. Enter the data requested on the Add/Edit Directory screen.

    Define the directory configuration specifying the parent domain as the value for Base Distinguished Name (Base DN). For example, for trusted domains, region1.example.com and region2.example.com, specify the directory name as example, and the Base DN value as DC=example or DC=com.

  5. Click Add directory server.

    For Directory server port, enter the Global Catalog SSL port. The default port is 3269.

  6. When adding directory groups on the Users and Groups screen, specify the directory groups from either region1.example.com, or region2.example.com in the Add group screen.
  7. To verify cross-domain authentication, log in as user@domain or domain\user. For example, admin@example.com, region1\admin, or admin.