> > > I thought KCD did not work across forests/domains but I'm reaching here so > double check me. I'm itching to get all over these Kerberos features myself > but have had no time as usual to get deep into them. Hopefully we can > fullfil some of our critical needs on the LDAP side and move on to frolic > around in the Kerberos side for a while. > > I don't think it does technicly, but it here's the basics of the scenario we had (I will do a more detailed writeup when I have a few minutes):
Policy dictated that all devices be stored in a different forest then users. So there were two forests: addr.domain.com (with a subdomain of usrs.addr.domain.com) for users and svc.domain.com with a 2 way cross forest trust between svc.addr.domain.comand usrs.addr.domain.com. We were using MS' IAG (intelligent application gateway) which performed KDC on behalf of the user (authentication to the IAG was done using Active Directory Federation Services). The IAG was a member of the svc.domain.com domain and the users were all in the usrs.addr.domain.com domain. We tried a similar scenario using Quest's SSO/Java and while KDC worked very well for a single forest, kdc for users in the cross forest trust did not. The diference appeared to be that the IAG would: 1. request a ticket to talk to the user's domain 2. try to authenticate the ticket to the user's domain where as SSO/Java (and I never figured out if this was a misconfiguraiton on my part or an issue with the product) tried to authenticate the ticket against the svc domain. Hope that explains it a bit better, if not I can do something more detailed Marc
