Solution-1(simple and strainght forward): Use Kerberos SSO(this works only using OAC and if end-point is joined to domain):-
if the users are logging into IC(using OAC) from an end-point which is joined to domain and user logged into PC as a domain user:
- Configure Forest root's domain controller as AD Auth server in IC and give root domain's admin username password in auth server config and enable "Allow Trusted Domains" setting in Auth server config on IC.
- Configure your realm to use this AD Auth Server for authentication and make sure 'Enable SSO' checkbox is checked under: Users->User Realms-> your realm-> Authentication Policy -> SSO tab in Admin UI. note that your relam is realm name that you are using for user authentication.
- Now login to a computer (as a domain user) which is part of domain(either root or child domain) and start OAC and click on 'connect to infranet controller' checkbox.
Now you will be logged into IC as same user who is logged into the domain computer. no need to mention any domain prefix for username. leave the username field as it is and set the password setting in OAC profile to 'prompt for password'.
Solution-2(not that easy, requires too much of configuration):-
configure domain controller of each child domain in as a seperate auth server in IC and configure seperate realms one for each child domain and make the realm use respective child domain's domain controller as auth server.
please reply if this not you are looking for.
