Re: One-way trust, Kerberos & IIS

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Mon, 10 Apr 2006 16:34:28 -0700

The forest of Domain A is at best Windows 2000 native.
External trusts to other forests is always NTLM based in
that scenario. If you want a trust that supports Kerberos
you need W2k3 mode forests and a forest-level trust.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Jim" <Jim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D2005B36-F90D-4D64-AC10-789CBD785163@xxxxxxxxxxxxxxxx

Hi,

I have the following configuration

Two Active Directory Domains in two separate forests.

Domain A Windows 2000

Domain B Windows 2003

I have a one-way trust between them such that B trusts A

I have a web application running on a Windows Server 2003 installation
using
IIS in Domain B that require Kerberos Authentication using IWA.

Currently when I attempt to log on with a client authenticated with a DC
in
Domain A authentication appears to be using the fall back of NTLM. Do I
need
to create an SPN in Domain A to allow Domain A's KDC to provide the client
running in Domain A with a referral ticket for Domain B?

Many thanks

Jim

Follow-Ups:
- Re: One-way trust, Kerberos & IIS
  - From: Jim

Prev by Date: IUSR problem
Next by Date: Re: IUSR problem
Previous by thread: IUSR problem
Next by thread: Re: One-way trust, Kerberos & IIS
Index(es):
- Date
- Thread

Relevant Pages

Re: cross-forrests trusts on routed networks with NAT
... "Rup And" wrote in message ... So you can put a trust between the 2 forest root domains of your 2 forests - ... > One forrest build on Windows2000 and one forrst build on Windows 2003 ...
(microsoft.public.windows.server.active_directory)
Re: cross-forrests trusts on routed networks with NAT
... > How do I configure DNS in the following scenario? ... > I need to establish a cross-forrest trust between a windows 2000 and ... Do you mean a normal trust relationship between any 2 domains in different ... Top level forests trusts are only available between Windows Server 2003 ...
(microsoft.public.windows.server.active_directory)
Re: Setting up a trust - easy as pie or what?
... companies merged would be useful to have authentication occur automatically ... Our domain here is in windows 2003 mode, their's is in windows 2000 mixed ... > Hmmm - "If these are separate forests, they must both be at Windows Server ... This is so if you want to create a Forest trust - ...
(microsoft.public.windows.server.general)
Re: Multiple domain 2003 and 2000
... but you can create "external Trust" ... are Windows 2003 Forests and both forests are in 2003 Functional Levels. ... please direct all replies ONLY to the Microsoft public newsgroup ...
(microsoft.public.win2000.active_directory)
RE: How to create trust relationship between Windows 2003 Server (domain controler) and Windows NT 4
... relationship between windows NT and Windows 2003 by following the ... Establish Trusts with a Windows NT-Based Domain in Windows Server ... How to Create a Trust Relationship ... Create a Two-Way Trust Relationship ...
(microsoft.public.win2000.security)