Hi Steve,
Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used cross-forest? I thought protocol transition was tied to constrained delegation (in a user/computer account's properties, on the delegation tab there is an option that says "any protocol", but that's only available in the section for constrained delegation. If that's the case, then how can protocol transition work cross-forest? Cheers Ken -- My Blog: www.adOpenStatic.com/cs/blogs/ken <http://www.adopenstatic.com/cs/blogs/ken> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: [email protected]; [email protected] Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your scenario correctly .... In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -------------- Original message -------------- From: "Ken Schaefer" <[EMAIL PROTECTED]> > Hi all, > > I am looking at a slightly tricky situation, at least for me - I'm sure you > guys would find this a "walk in the park" :-) > > I have a situation where there are two forests (2003 Forest Functional > Level). Each contains a single domain. One domain is a resource domain > (DomainB), and the other contains the user accounts (DomainA). There is a > one-way forest trust, such that the resource forest/ domain trust the user > forest (and domain). > > The situation I have is as follows: > > Client ---> ISA Server 2006 ---> Web Server ---> App Server > > The user that is logged on to the client is from DomainA. All the servers > belong to DomainB. The user's credentials need to be passed from the web > server back to the app server. So I could use Basic Authentication all the > way through. Or I can try to use Kerberos & delegation. > > Now, ISA Server can use protocol transition, so that Client ---> ISA Server > can be something other than Kerberos (e.g. forms authentication), however > Protocol Transition then requires the use of constrained delegation. Am I > right in thinking that constrained delegation is limited to accounts in the > same domain? If so, then the fact that the user is in a different domain to > the ISA Server will cause this to fail. > > On the other hand, if I didn't use constrained delegation, just regular > delegation (and no protocol transition), does that work across Forests > though? I have read conflicting reports on this. I'm having some difficulty > getting it working, so either the answer is "no", or my skills aren't up to > the task (probably the latter, in combination with the former). > > Cheers > Ken > > -- > My Blog: www.adOpenStatic.com/cs/blogs/ken
