Hello, I have installed ovirt-engine version 4.1.1.8 on CentOS Linux release 7.3.1611 and have configured authentication against Active Directory with the ovirt-engine-extension-aaa-ldap-setup version 1.3.1. I have also configured single-sign-on (SSO) via ovirt-engine-extension-aaa-misc version 1.0.1. We use MIT Kerberos in our organisation for Linux authentication. After configuring appropriate System Permissions in the oVirt Engine web interface, end-users can successfully authenticate: - without additional input if they have a valid Kerberos ticket-granting-ticket (TGT). - by entering their Active Directory login and password in the oVirt log-in page if they do not have a valid TGT. The problem is that oVirt sees the Active Directory and SSO log-ins as two distinct Authentication Domains. In more detail: - ovirt.engine.extension.name = Kerberos in the authz.properties file for our SSO configuration. If a user authenticates via a Kerberos TGT, their user-name appears as username@our.ad.domain@Kerberos within oVirt engine. - ovirt.engine.extension.name = LDAP in the authz.properties file for our Active Directory configuration. If a user authenticates by entering the relevant Active Directory login and password in the oVirt web-form log-in, their user-name appears as user@our.ad.domain@LDAP within oVirt engine. Is there a way to configure both authentication methods to map to the same user irrespective of the Authentication domain? That is, is there a way in oVirt to say that user1@domain1 and user1@domain2 are to be treated as being equivalent? Best wishes, Lloyd Kamara