none
Multiple authentication servers and UPN logon

    Question

  • I've been playing around a bit with the following setup:

    2 domains with a two-way forest trust in between. Let's call them "Resources" and "Clients". Applications holds both the web application and the UAG server. Clients holds the users.

    On UAG I created two authentication servers: resources and clients.

    I've got the web application published, and it's configured for Kerberos Constrained Delegation.

    Now what I've achieved:

    • Logging on with a Resource user succeeds fine (both for the Portal and the Web App)
    • Logging on with a Clients user succeeds for the Portal but fails for the Web App
    • Logging on with a Clients user in UPN format AND selecting Resource as authentication server succeeds (both for the Portal and the Web App)

    Any idea how this comes? What I would like to achieve is Kerberos Constrained Delegation for users in the trusted forest (domain). It seems to work, but it's really odd I have to select the Resource authentication server.


    http://setspn.blogspot.com

    Friday, July 26, 2013 10:54 AM