My understanding is that you can get the actual protocol transition logon to
work, but you cannot use delegation (which is what you really need) because
PT is tied to constrained delegation and it only works in a single domain,
not even in multiple domains in a forest. Your understanding is basically
correct.
This is a documented limitation and not something I've played with
personally, so I'm not sure if there is more to it than that.
I honestly don't know if this can be made to work with unconstrained
delegation/kerb auth in IIS, as I've never tried that either. However,
giving out unconstrained delegation privileges is a bit icky.
This may be one of those situations where it is easier to just pass the
plaintext credentials around between the tiers using basic auth/SSL and
such.
Joe
----- Original Message -----
From: Ken Schaefer
To: ActiveDir@mail.activedir.org
Sent: Tuesday, December 19, 2006 5:29 PM
Subject: RE: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Steve,
Can you elaborate on this? I'm familiar with what S4U2self is for, but not
sure how to tell whether I would need it or not. Are you saying below that
protocol transition can be used cross-forest? I thought protocol transition
was tied to constrained delegation (in a user/computer account's properties,
on the delegation tab there is an option that says "any protocol", but that's
only available in the section for constrained delegation. If that's the
case, then how can protocol transition work cross-forest?
Cheers
Ken
--
My Blog: www.adOpenStatic.com/cs/blogs/ken
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 20 December 2006 12:37 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Cc: Ken Schaefer
Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
If I understand your scenario correctly ....
In order for S4U2self ( protocol transition ) to work in this sceanrio you
will need a 2 way forest trust.
If you do not need S4U2self you can get by with the one way trust.
steve
-------------- Original message --------------
From: "Ken Schaefer" <[EMAIL PROTECTED]>
Hi all,
I am looking at a slightly tricky situation, at least for me - I'm sure
you
guys would find this a "walk in the park" :-)
I have a situation where there are two forests (2003 Forest Functional
Level). Each contains a single domain. One domain is a resource domain
(DomainB), and the other contains the user accounts (DomainA). There is a
one-way forest trust, such that the resource forest/ domain trust the user
forest (and domain).
The situation I have is as follows:
Client ---> ISA Server 2006 ---> Web Server ---> App Server
The user that is logged on to the client is from DomainA. All the servers
belong to DomainB. The user's credentials need to be passed from the web
server back to the app server. So I could use Basic Authentication all the
way through. Or I can try to use Kerberos & delegation.
Now, ISA Server can use protocol transition, so that Client ---> ISA
Server
can be something other than Kerberos (e.g. forms authentication), however
Protocol Transition then requires the use of constrained delegation. Am I
right in thinking that constrained delegation is limited to accounts in
the
same domain? If so, then the fact that the user is in a different domain
to
the ISA Server will cause this to fail.
On the other hand, if I didn't use constrained delegation, just regular
delegation (and no protocol transition), does that work across Forests
though? I have read conflicting reports on this. I'm having some
difficulty
getting it working, so either the answer is "no", or my skills aren't up
to
the task (probably the latter, in combination with the former).
Cheers
Ken
--
My Blog: www.adOpenStatic.com/cs/blogs/ken
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
