directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <>
Subject Re: [Kerberos] Constrained Delegation Support?
Date Wed, 23 Sep 2009 15:54:44 GMT
> I thought KCD did not work across forests/domains but I'm reaching here so
> double check me.  I'm itching to get all over these Kerberos features myself
> but have had no time as usual to get deep into them.  Hopefully we can
> fullfil some of our critical needs on the LDAP side and move on to frolic
> around in the Kerberos side for a while.
I don't think it does technicly, but it here's the basics of the scenario we
had (I will do a more detailed writeup when I have a few minutes):

Policy dictated that all devices be stored in a different forest then
users.  So there were two forests: (with a subdomain of for users and with a 2 way cross forest trust between svc.addr.domain.comand  We were using MS' IAG (intelligent application
gateway) which performed KDC on behalf of the user (authentication to the
IAG was done using Active Directory Federation Services).  The IAG was a
member of the domain and the users were all in the domain.  We tried a similar scenario using Quest's
SSO/Java and while KDC worked very well for a single forest, kdc for users
in the cross forest trust did not.  The diference appeared to be that the
IAG would:

1.  request a ticket to talk to the user's domain
2.  try to authenticate the ticket to the user's domain

where as SSO/Java (and I never figured out if this was a misconfiguraiton on
my part or an issue with the product) tried to authenticate the ticket
against the svc domain.

Hope that explains it a bit better, if not I can do something more detailed


View raw message