You can only configure a single NTLM realm in the WSA, but as long as there are trusts in your AD forest, users in other domains should still be able to authenticate correctly.
WSA is configured to join the domain "COMPANY". The COMPANY domain has two way trusts configure with the domain "SECONDARY".
When a user in the SECONDARY domain authenticates to the WSA, it will sends the appropriate credentials (SECONDARY\user1). The WSA will pass these credentials to the AD server we have joined (in the COMPANY domain).
Since the COMPANY AD server trusts the SECONDARY domain, it will contact the other domain controllers and authenticate the client.
You can authenticate to any number of domains as long as the AD server / domain we're joining has the trust setup and is able to authenticate other domain's users.
My understanding is that SSO will work with any of the domains that have 2 way trust setup. You will still have to setup the environment for SSO, such as setting the "Redirect Hostname" to a single word hostname.
You may have to add a trust variable in the Firefox browser.
I don't believe the trusts will have any effect on LDAP.
It's possible that one AD server may use an LDAP referral to query the appropriate AD server (for the other domain you are attempting to auth with), but I'm not sure that is how it works.
Any one else have concrete information? I'm curious as to why you would want to use LDAP with a multi domain environment. NTLM is better in every way (password from the client is secure, Kerberos between the WSA and DC, Single Sign On, Ease with authenticating to multiple domains, so forth.)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...