Thanks for posting Wei.
To add additional context, we are utilizing multiple namespaces to authenticate users from the domain and also sub-domains - e.g. companyname.com and country.companyname.com. We are not spanning domain forests, nor are we utilizing SSO…just plain and simple CAM Mode 5 with AD, and native TM1 groups.
Prior to seeing this issue, I assumed that UX had the ability to authenticate against a user-selectable CAM Namespace, just like the other interfaces. If not, I would like to understand how best to proceed to minimize performance impacts.
As far as workarounds, we’ve tried a couple things:
Setup a single AD namespace pointing to the root domain controller. Utilize “chaseReferrals” so users in the child domains can login. Testing thus far has shown significant performance impacts at login. It can take up to a minute to authenticate users. Performance is as expected without chaseReferrals, but then we face the problem of users in sub-domains unable to login.
Setup multiple namespaces in CAM pointing to each domain controller within the domain and sub-domains. Duplicate the original webapp in UX, pointing to each namespace in the instances.json file. Performance is much better vs. option 1, but it is unnecessary overhead having multiple webapps and different links per user.
Long term we will move to Azure AD, but we’re not quite there yet.