Hi there,

Thank you again for submitting your idea to Paessler. We truly appreciate you taking the time to share your feedback.

After careful consideration by our team, we've decided to decline this idea at this time.

While we appreciate your request for PRTG to natively support authentication across an entire AD forest, here is our perspective on why we focus on a more streamlined authentication model and how you can use Microsoft Entra ID (formerly Azure AD) or Active Directory Federation Services (AD FS) to achieve a best-practice, single-identity solution.

Why Direct Multi-Domain/Forest Support is Complex

PRTG is a network monitoring solution, and its design prioritizes ease of deployment, stability, and security in its core function. Directly integrating with an entire Active Directory Forest—including all trusted domains and sub-domains—involves significant complexities that are generally handled by dedicated identity services:

• Trust and Authentication Flow Complexity: Supporting authentication across different AD trees and transitive trusts introduces complex logic (e.g., Kerberos referrals, credential forwarding) that can be difficult to manage, troubleshoot, and maintain for a non-identity application like PRTG.
• Source of Truth Issues: In multi-domain environments, it is often difficult for an application to know which domain holds the authoritative user attributes (e.g., UPN, email, groups). This can lead to synchronization conflicts or stale user data.
• Maintenance Overhead: When trust relationships change between on-premises AD forests (due to mergers, divestitures, or organizational restructuring), PRTG would require constant, complex updates to its configuration.

The Recommended Solution: Centralized Identity Management

The industry best practice for unifying identities across complex environments (like multiple AD forests, sub-domains, or even third-party identity sources) is to use a centralized identity provider that handles all the authentication complexity, providing a single, clean user list to all applications.

Use Microsoft Entra ID (or AD FS) for SSO

We strongly recommend using Microsoft Entra ID (or AD FS for an on-premises solution) to manage authentication for your users.

1. Consolidate Identities: Use Microsoft Entra Connect or Microsoft Entra Cloud Sync to import all user accounts from your various AD forests/domains into your single Microsoft Entra tenant. This ensures that every user has one unique cloud identity that is synchronized from the correct on-premises source.
2. Enable Single Sign-On (SSO): Configure PRTG to use SAML or OpenID Connect (OIDC) authentication with your Microsoft Entra tenant.
3. Simplified PRTG Access: Your users will now simply sign into PRTG using their primary, synchronized UPN (e.g., user@company.com), regardless of which specific AD domain their account originated in.

• Eliminates Overhead: You no longer need to create or manage local accounts in PRTG for sub-domain users.
• Enhances Security: Users authenticate with their primary AD password, eliminating the need for separate passwords and the security risk of password reuse.
• Enables Modern Security: This approach allows you to enforce multi-factor authentication (MFA), Conditional Access policies, and other advanced security features directly from Microsoft Entra ID.

By leveraging Microsoft Entra ID, you offload the complex burden of multi-domain and multi-forest management to a service specifically designed for identity, allowing PRTG to focus on providing best-in-class network monitoring.

While this particular idea won't be moving forward, please don't be discouraged! Your input is incredibly valuable, and we encourage you to continue sharing your thoughts and ideas with us.

Thanks for your understanding and for helping us shape the future of Paessler.

Best regards,

The Paessler Product Team