RE: [ActiveDir] Cross-Forest Kerberos Delegation

2007-01-01 Thread Ken Schaefer
: To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : Wow that turned out ugly didnt it? : : Basically it should have shown that all machines are in one domain in : Forest1 and the user account is in Forest 2 and F1 trusts F2. : : Sorry for the long delay

Re: [ActiveDir] Cross-Forest Kerberos Delegation

2007-01-01 Thread steve patrick
PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 01, 2007 3:07 AM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Are you sure about this? I have the ISA Server, IIS Server and App Server in Forest1 If I logon to the client machine using a user from

Re: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-29 Thread steve patrick
] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 4:58 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Joe, Thanks for your comments. Certainly using Basic is easier, and this is mostly what they are doing at the moment. I say mostly because I wasn't entirely

Re: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-29 Thread steve patrick
: steve patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, December 29, 2006 4:07 PM Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2

Re: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-29 Thread Joe Kaplan
] Cross-Forest Kerberos Delegation Hi Ken Based on your mail you seem to have the following setup: F1 F2 | | M1--- ISA--- IIS---AppServer UserA UserA logs on to M1 and hits the IIS Server which needs to access

Re: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-19 Thread tech4steve
If I understand your scenario correctly In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust. steve -- Original message -- From: Ken Schaefer

RE: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-19 Thread Ken Schaefer
://www.adopenstatic.com/cs/blogs/ken From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 20 December 2006 12:37 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Cc: Ken Schaefer Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation If I understand your

Re: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-19 Thread Joe Kaplan
Sent: Tuesday, December 19, 2006 5:29 PM Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation Hi Steve, Can you elaborate on this? I'm familiar with what S4U2self is for, but not sure how to tell whether I would need it or not. Are you saying below that protocol transition can be used

RE: [ActiveDir] Cross-Forest Kerberos Delegation

2006-12-19 Thread Ken Schaefer
Kaplan : Sent: Wednesday, 20 December 2006 10:41 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation : : My understanding is that you can get the actual protocol transition : logon to : work, but you cannot use delegation (which is what you really need