Using cross-forest and cross-domain authentication for Mobile Enterprise Gateway (MEG)

Before users can access intranet resources, Mobile Enterprise Gateway (MEG) requires users to authenticate against corporate directory services. Mobile Enterprise Gateway (MEG) integrates with both Active Directory and LDAP servers for this type of user authentication.

About this task

For integration with Active Directory for user authentication, you must configure the gateway as a service account that is a domain user for a particular domain. By default, the gateway authenticates only users that belong to a particular domain within the forest. If you want to run multiple Active Directory environments that use multiple domains in a forest or multiple forests, use the Mobile Enterprise Gateway (MEG) implementation for Active Directory for user authentication to enable trust for multi-forest/multi-domain environments.

For example, your Active Directory environment contains 2 forest and 3 domains that trust each other.
Active Directory structure example

When you enable user authentication for Active Directory, the default implementation only authenticates users within the context of the service account domain. To extend the authentication scope to all forests and domains, you must manually modify a registry key to support multi-forest/multi-domain authentication for the gateway.

Procedure

  1. Open the Registry Editor (regedit.exe) on the Cloud Extender® server.
  2. From HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fiberlink\V360, create a value in the V360 key: "ADD_REG_POLICY_GROUP"="UA_PLC”.
    Note: If the ADD_REG_POLICY_GROUP value exists, you must append UA_PLC to the list separated by a semicolon (;).
  3. Create a key under the V360 key named UA_PLC.HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fiberlink\V360\UA_PLC
  4. Create two new string values under UA_PLC: “FQDNMapFilePath”=”C:\%ProgramData%\MaaS360\Cloud Extender\AR\Data\FQDNMap.txt”“SearchAllForests”=”Y”
    UA_PLC registry key
  5. Create a mapping of all your trusted domains in new text file called FQDNMap.txt by using any plain text editor.
    This mapping file is a text file that contains one entry per line of text for each domain in the environment. Each line entry in the file looks like the following example, with the short domain to the left of the = (equals) sign and the FQDN to the right of the = (equals) sign: shortDomainName=FQDN and FQDN=FQDN (make sure to map both combinations).
    For example:
    domainA = domainA.rootDomain1.mycorp.com
    domainB = domainB.rootDomain1.mycorp.com
    domainC = domainC.rootDomain2.mycorp.com
    domainA.rootDomain1.mycorp.com = domainA.rootDomain1.mycorp.com
    domainB.rootDomain1.mycorp.com = domainB.rootDomain1.mycorp.com
    domainC.rootDomain2.mycorp.com = domainC.rootDomain2.mycorp.com

    Each line in the file must end with either a <CRLF> (DOS line ending convention) or a <LF> (UNIX line ending convention.)

    1. Save the file as FQDNMap.txt.
    2. Copy the FQDN Map File FQDNMap.txt to the folder C:\ProgramData\MaaS360\Cloud Extender\AR\Data\.
  6. Restart the Cloud Extender service.
    Note: If you are running a gateway cluster in High Availability (HA) mode, follow these steps on all gateways that implement the User Authentication service.