Cross Forest Kerberos Delegation of Authentication
chris.geier@gmail.com
chris.geier at gmail.com
Sun Sep 17 20:20:20 EDT 2006
I have a multi-tier applicaiton that resides in the resouce forest
where the
Webpage in tier 1 needs to use Kerberos Delegation of authentication to
connect to an applicaiton server in tier 2 in that same resource
forrest.
The web identity and the applicaiton identity are both operating as
named
account that also reside in the resource forest. Now when a normal
every day
user account needs to interact with this 3 tier app, it does so with a
user
account that resides in the Account Forest that is trusted by the
resource
forest.
Can this delegation of authentication happen in the application given
that
the user account to be delegated is not only in a seperate forest but
only
has a 1 way forest trust.
I know for 100% that this is not possible in a basic W2K forest. I
thought
this was not the case even in W2K3 without a 2 way trust but the more I
research and read the more I am not sure about that. But I would love
to
find someone that has done this or knows for sure.
I am begning to postulate that with a W2K3 native mode, and a forest
trust
the rules may have changed and that it is possible, but again I am not
sure.
More information about the Kerberos
mailing list