http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspxIn this part we extend, slightly, upon the previous scenario , by adding delegation. Now we need to allow IIS, in our resource Forest (or domain) to delegate the end user&rsquo;s credentials, to a backend service (SQL Server in this case): The machinesenCommunityServer 2.1 (Build: 60809.935)http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#17879Fri, 11 Jul 2008 12:49:54 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:17879.neting in the free world<p>Coraz częściej w pracy stykam się z koniecznością ustawienia autentykacji poprzez protok&#243;ł Kerberos ,</p> http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#17883Fri, 11 Jul 2008 13:21:38 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:17883.neting in the free world<p>Coraz częściej w pracy stykam się z koniecznością ustawienia autentykacji poprzez protok&#243;ł Kerberos ,</p> http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#18270Mon, 25 Aug 2008 16:42:44 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:18270PaulThank you Ken for "IIS and Kerberos" series - really helpful. Is there any way to disable NTLM completely and authenticate using Kerberos only? Thanks, paul http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#18515Sat, 20 Sep 2008 12:17:53 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:18515Ken<p>Hi Paul,</p> <p>No - that's not possible.</p> <p>Cheers</p> <p>Ken</p> http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#18953Tue, 28 Oct 2008 12:59:37 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:18953Saurabh One word to express my gratitude would be fabulous. I recently came to know about your article series on Kerberos and seeing the exhaustive coverage I really admire the great work you have done. I myself belong to IIS support group within MS which deals with troubleshooting on kerberos issues for our customers, and your articles look very valuable indeed. Great work!http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#18955Tue, 28 Oct 2008 17:32:34 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:18955Steve HallKen, we have a MOSS environment and are planning out an integrated SQL reporting solution. The SQL reporting database is kept on a seperate clustered SQL instance. This configuration will exceed the double hop limit of NTLM. We currently have a cross-forest setup but only a one way trust. A two way trust will never be allowed. If kerberos requires a two way trust for delegation, and we can't have a two way trust, are we hosed? Are there any other solutions that will meet our needs?http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#19993Mon, 01 Dec 2008 04:02:45 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:19993robThis is an A+ series of posts. Having the captures downloadable to read along with kicks ass. Thanks for putting in the effort to do this.http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#20530Tue, 30 Dec 2008 01:14:14 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:20530chrisif i have users in forest A, and Resources (servers, and applications) in forest b. and I run one of my applications as an user that resides in forest A. There is a one way trust where Forest B trusts Forest B. Will i be able to use delegation in this scenario since both the service account that will be delegated to is in the same forest as the accounts being impersonated? Or is it a hard rule that to use delegation where 2 forests are involved you HAVE to have a 2 way trusthttp://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#21017Thu, 12 Feb 2009 04:50:06 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:21017Ken<p>Hi Chris,</p> <p>Sorry to take so long to get back to you. I'm not 100% sure about your situation. Will have to investigate and get back to you!</p> http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#21174Thu, 26 Feb 2009 12:24:33 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:21174Ken Schaefer<p>As an extension of the previous article on Cross Forest (or Cross Domain) Kerberos Authentication this</p> http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#21250Mon, 02 Mar 2009 16:39:49 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:21250Malcolm GinKen, In our environment, we are working in a single forest but multiple domains. Is a two-way trust required in this model? We seem to have indications that Kerberos constrained delegation is working properly for us even though we are using a one-way trust. If/when we have conclusive proof, I'll try to come back and follow up. Thanks, Mhttp://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#21323Fri, 06 Mar 2009 09:55:13 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:21323Vidar's Musings ?? The mother lode for IIS, Kerberos and IWA information<p>PingBack from <a rel="nofollow" target="_new" href="http://www.kongsli.net/nblog/2009/03/06/the-mother-lode-for-iis-kerberos-and-iwa-information/">http://www.kongsli.net/nblog/2009/03/06/the-mother-lode-for-iis-kerberos-and-iwa-information/</a></p> http://adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx#21387Mon, 09 Mar 2009 09:21:12 GMTe0e31441-78b9-4457-b9b0-6f7906e03e71:21387Ken<p>Hi Malcom,</p> <p>You have configured one-way trust between two domains in the same Forest? (I know that this is insufficient across Forests - because I tried for several days to get that working :-))</p> <p>Can you tell us which domains your users and resources are in?</p>