Hi all, I am looking at a slightly tricky situation, at least for me - I'm sure you guys would find this a "walk in the park" :-)
I have a situation where there are two forests (2003 Forest Functional Level). Each contains a single domain. One domain is a resource domain (DomainB), and the other contains the user accounts (DomainA). There is a one-way forest trust, such that the resource forest/ domain trust the user forest (and domain). The situation I have is as follows: Client ---> ISA Server 2006 ---> Web Server ---> App Server The user that is logged on to the client is from DomainA. All the servers belong to DomainB. The user's credentials need to be passed from the web server back to the app server. So I could use Basic Authentication all the way through. Or I can try to use Kerberos & delegation. Now, ISA Server can use protocol transition, so that Client ---> ISA Server can be something other than Kerberos (e.g. forms authentication), however Protocol Transition then requires the use of constrained delegation. Am I right in thinking that constrained delegation is limited to accounts in the same domain? If so, then the fact that the user is in a different domain to the ISA Server will cause this to fail. On the other hand, if I didn't use constrained delegation, just regular delegation (and no protocol transition), does that work across Forests though? I have read conflicting reports on this. I'm having some difficulty getting it working, so either the answer is "no", or my skills aren't up to the task (probably the latter, in combination with the former). Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
