Re: Cross Forest Authentication

Yes, that helps a bunch. Thanks.

I still don't know the answer to the question and I don't know for sure if
it is documented anywhere. Some from MS probably knows, although you might
be surprised that a lot of the AD product group people don't know tons about
Kerberos and application usage of it (delegation, etc.) because Kerberos is
actually implemented and maintained by a different team. As such, this
might not even be the right newsgroup.

What I would suggest is this though: try to get the scenario working when
logging in to the app with an account in the resource forest first. Ensure
that you are getting Kerberos authentication in IIS (which is often a lot
harder than it should be; NTLM failovers with IIS auth are very common due
to the mysteriousness of SPNs and how they interact with the host name in
the URL among other factors). If that works, then you can switch to account
domain account and see what happens. Ensure once again that you are getting
Kerberos auth via IIS so you are comparing apples to apples. If the
delegation doesn't work, then I think you have eliminated enough other
variables to know that the forest deployment is the issue.

A definitive answer is obviously preferable, but sometimes you have to do
what you have to do.

Protocol Transition may be an answer for you here, but I'm not sure. I know
you can only delegate between services in the same domain (constrained
delegation requires this and S4U requires constrained delegation), but since
that appears to be what you have, that might not be a problem. The real
issue would seem to be whether you can delegate the foreign forest account
or not. As I think about it, I'm not sure protocol transition even makes a
difference here, as it basically gives you a Kerberos-based token for the
user, but then we are basically right back where we were with the test
scenario.

ADFS is an interesting idea in your scenario, but I'm not sure it helps
either and adds a ton of complexity. Forget I mentioned it. :)

It might be helpful to talk a little bit more about the app that is being
delegated to. Is it SQL or HTTP (web services, etc.) or something else?
I'm not sure it matters, but I'm curious.

My final recommendation is to open an official support inquiry with MS so
someone there will be forced to answer.

Best of luck.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Chris Geier" <chris.geier at gmail.com> wrote in message
news:F23383A2-9A67-48AA-80C0-3915FE64E1C6@xxxxxxxxxxxxxxxx
I think I have read through everything on Kerberos and Cross forest
authentication and I am still not 100% about the specifics of this
situation.
Let me try to explain a bit better

I have a multi-tier applicaiton that resides in the resouce forest where
the
Webpage in tier 1 needs to use Kerberos Delegation of authentication to
connect to an applicaiton server in tier 2 in that same resource forrest.
The web identity and the applicaiton identity are both operating as named
account that also reside in the resource forest. Now when a normal every
day
user account needs to interact with this 3 tier app, it does so with a
user
account that resides in the Account Forest that is trusted by the resource
forest.

Can this delegation of authentication happen in the application given that
the user account to be delegated is not only in a seperate forest but only
has a 1 way forest trust.
I know for 100% that this is not possible in a basic W2K forest. I thought
this was not the case even in W2K3 without a 2 way trust but the more I
research and read the more I am not sure about that. But I would love to
find someone that has done this or knows for sure.

I am begning to postulate that with a W2K3 native mode, and a forest trust
the rules may have changed and that it is possible, but again I am not
sure.

Did that make it more clear?



.

Relevant Pages

  • Re: Cross Forest Authentication
    ... I think you need to dig around deeply in the big Kerberos delegation ... forest authentication is done with NTLM by default. ... multi-forest scenario either, so I'm not sure what happens there. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Excel Calculation Services
    ... \par Have you tried to use the Kerberos to delegate the credentials? ... If the sharepoint application pool is a domain account, then you must register an SPN for it, e.g. ... \par As for accessing data sources using delegation from excel services, ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Cant get Impersonation / delegation to work
    ... the service needs to be trusted for delegation with "any protocol" ... app to Kerberos when you need to delegate to the back end. ... Make sure you have the proper SPN set on the account running the service ... allow connection to a remote SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Use of SPNs
    ... > constrained delegation feature, but almost no practical example of its ... >>SPN is a name mapping technique defined in the Kerberos GSS ... >>understand SPNs you can look these up in any decent reference ... >>When you have defined a Windows account with sufficient rights ...
    (microsoft.public.windows.server.security)
  • Re: Cross Forest Authentication
    ... resides in forest A, to a resource in Forest B. ... something custom) to "transition" to Kerberos when Kerberos ... It is also possible to implement delegation ...
    (microsoft.public.windows.server.active_directory)