Tuesday, February 12, 2013 3:30 AM
OK, so I've got a SP2007SP3 server running in a DMZ (belonging to the DMZ AD) with SSRS2008R2SP2 installed in integrated mode, locally on the same server.
There's a one-way trust between the LAN AD and DMZ AD (DMZ trusts LAN) at the forest level and when using IE in the DMZ I can login to SP and view reports as either LAN or DMZ users (so at least within the DMZ Kerberos is working from SP to SSRS to SSAS, even for users that are not in the same AD forest as SP/SSRS/SSAS).
However, to publish to both internal staff (LAN AD accounts) and external clients (DMZ AD accounts), there's a UAG server in front of it, but I can't seem to get Kerberos working through UAG. UAG belongs to the LAN AD and I can quite happily login to UAG with either LAN or DMZ credentials and happily access SP. However, when I go to view a report, it fails and the HTTP log for SSRS shows that it's the anonymous user that's connecting, which suggests that UGA isn't using Kerberos to log the user into SP.
I've seen conflicting info about UAG, AD and cross-forest Kerberos and this article (http://technet.microsoft.com/en-us/library/ee690462.aspx) seems to suggest that the users, UAG and the back-end services (in this case SP and SSRS) must all be in the same domain, which seems somewhat limiting.
I've tried setting the "User Kerberos constrained delegation for single sign-on" (as per the article above), but regarless of what I set the SPN to, it fails to authenticate at all with SP.
Has anyone got this kind of configuration working?
I've seen references to similar situations, but answers haven't always been forthcoming (or relevant to my situation).
- Edited by Craig Humphrey Tuesday, February 12, 2013 3:32 AM spelling
Wednesday, March 20, 2013 10:20 PM
Turns out, there's no trick. UAG2010 doesn't support cross-forest Kerberos. You have to use two UAG servers, publishing on different URLs to different audiences.
Pity those that have more than two AD forests...
- Marked As Answer by Craig Humphrey Wednesday, March 20, 2013 10:20 PM