: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
: Wow that turned out ugly didnt it?
:
: Basically it should have shown that all machines are in one domain in
: Forest1 and the user account is in Forest 2 and F1 trusts F2.
:
: Sorry for the long delay
PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, January 01, 2007 3:07 AM
Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Steve,
Are you sure about this?
I have the ISA Server, IIS Server and App Server in Forest1
If I logon to the client machine using a user from
]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, December 19, 2006 4:58 PM
Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Joe,
Thanks for your comments. Certainly using Basic is easier, and this is
mostly
what they are doing at the moment. I say mostly because I wasn't entirely
: steve patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, December 29, 2006 4:07 PM
Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Ken
Based on your mail you seem to have the following setup:
F1 F2
] Cross-Forest Kerberos Delegation
Hi Ken
Based on your mail you seem to have the following setup:
F1 F2
| |
M1--- ISA--- IIS---AppServer UserA
UserA logs on to M1 and hits the IIS Server which needs to access
If I understand your scenario correctly
In order for S4U2self ( protocol transition ) to work in this sceanrio you will
need a 2 way forest trust.
If you do not need S4U2self you can get by with the one way trust.
steve
-- Original message --
From: Ken Schaefer
://www.adopenstatic.com/cs/blogs/ken
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 20 December 2006 12:37 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Cc: Ken Schaefer
Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
If I understand your
Sent: Tuesday, December 19, 2006 5:29 PM
Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Steve,
Can you elaborate on this? I'm familiar with what S4U2self is for, but not
sure how to tell whether I would need it or not. Are you saying below that
protocol transition can be used
Kaplan
: Sent: Wednesday, 20 December 2006 10:41 AM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
:
: My understanding is that you can get the actual protocol transition
: logon to
: work, but you cannot use delegation (which is what you really need