If I understand your scenario correctly .... In order for S4U2self ( protocol transition ) to work in this sceanrio you will need a 2 way forest trust. If you do not need S4U2self you can get by with the one way trust.
steve -------------- Original message -------------- From: "Ken Schaefer" <[EMAIL PROTECTED]> > Hi all, > > I am looking at a slightly tricky situation, at least for me - I'm sure you > guys would find this a "walk in the park" :-) > > I have a situation where there are two forests (2003 Forest Functional > Level). Each contains a single domain. One domain is a resource domain > (DomainB), and the other contains the user accounts (DomainA). There is a > one-way forest trust, such that the resource forest/ domain trust the user > forest (and domain). > > The situation I have is as follows: > > Client ---> ISA Server 2006 ---> Web Server ---> App Server > > The user that is logged on to the client is from DomainA. All the servers > belong to DomainB. The user's credentials need to be passed from the web > server back to the app server. So I could use Basic Authentication all the > way through. Or I can try to use Kerberos & delegation. > > Now, ISA Server can use protocol transition, so that Client ---> ISA Server > can be something other than Kerberos (e.g. forms authentication), however > Protocol Transition then requires the use of constrained delegation. Am I > right in thinking that constrained delegation is limited to accounts in the > same domain? If so, then the fact that the user is in a different domain to > the ISA Server will cause this to fail. > > On the other hand, if I didn't use constrained delegation, just regular > delegation (and no protocol transition), does that work across Forests > though? I have read conflicting reports on this. I'm having some difficulty > getting it working, so either the answer is "no", or my skills aren't up to > the task (probably the latter, in combination with the former). > > Cheers > Ken > > -- > My Blog: www.adOpenStatic.com/cs/blogs/ken > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
