That is what I was thinking of. I couldn't find where I read that and went
from memory. Thanks for the clarification.
Joe K.
----- Original Message -----
From: "steve patrick" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Friday, December 29, 2006 6:07 PM
Subject: Re: [ActiveDir] Cross-Forest Kerberos Delegation
Hi Ken
Based on your mail you seem to have the following setup:
F1--------------------------------------------------------> F2
| |
M1---> ISA---> IIS--->AppServer UserA
UserA logs on to M1 and hits the IIS Server which needs to access
AppServer with a proper token for UserA
In this scenario - constrained delegation will work ok.
Perhaps Joe was thinking of the docs which state you have to have the IIS
Server and the AppServer in the same forest and domain?
steve
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx