locked
Unable to delegate a service account present in AD Domain A to the service account present in AD Domain B RRS feed

  • Question

  • Hi All,

    We are doing Kerberos authentication to a SharePoint application through ADFS. In ADFS, the SharePoint application acts as relying party trust. When we are accessing the application it is again and again prompting for user credentials. We found that we have to delegate the trust to SharePoint Service account from the service account on which ADFS is running. Below is the structure of our environment.

    1. ADFS server and related service accounts (ADFSServiceAccount)are present in AD A in forest A1.

    2. The SP application AD and their service account(SPServiceAccount) is present in AD B in forest B1.

    Now I want to delegate "ADFSServiceAccount" to SPServiceAccount. But for ADFSService account user, in Delegate tab,when I am trying to select "Trust this user to delegate specified services only" and trying to add B\SPServiceAccount, I am unable to find this AD B - B\SPServiceAccount.How can I achieve this.

    Is it possible to deletage the accounts that are present in different forest and different domain.

    Thanks

    Prasanthi

    Thursday, December 22, 2016 10:51 AM

All replies

  • What are the trust set up between the forest? Also enabling 'Account is sensitive and cannot be delegated', ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application.  So if that is the case unchecked that setting and try.

    Thursday, December 22, 2016 1:44 PM
  • Hi Prasanthi,

    Kerberos delegation is not required between ADFS server and the Sharepoint service account. Kerberos delegation (what you are trying to configure) is only required when you are doing a Kerberos authentication against a front-end service and the Kerberos credential is being passed to the backed service (SQL).

    Please follow the instructions here https://technet.microsoft.com/en-us/library/hh305235.aspx to configure SharePoint claims based authentication with ADFS.

    Good Luck!

    Shane

    Thursday, December 22, 2016 3:44 PM
  • I agree with Shane.

    The scenario isn't clear. Are you publishing SharePoint as a claim-aware application or as a non-claim aware application?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, December 24, 2016 12:31 PM
  • Hi,

    We have a tricky solution for achieving ADFS SSO. Here are the details.

    1. We have a front end application called LiferayPortal. Users in Forest B --> Domain BA will login to portal and can click on SP(sharepoint) application which is present in Forest B--> Domain BB.

    2. ADFS servers are present in ForestA-->Domain AA.

    3. When the user clicks on SP application, it passes the SAML token from life ray portal to ADFS and from ADFS to SP application.(we configures LiferayPortal as claim provider and SP application as relying party trust).

    Now we are going to delegate ADFS service account with respect to SP application service account for delegating the Kerberos ticket to SP application service account. Is it possible to delegate user account which is present in different forest?

    Thanks

    Prasanthi

    Wednesday, December 28, 2016 9:11 AM
  • Need to confirm things here... because the forest/domain question is somewhat irrelevant in the federation world. It is in the ADDS worlds though.

    As long as there is an AD trust, you can authenticate users in ADFS.

    As long as you can authenticate user, you can deliver a token.

    That should be the end of the story. UNLESS :) you are using some Non-Claim aware application in the equation. And then there other parameters to consider. But you don't mention this...

    So let's try to dig into it.

    1. Is there a trust between Forest A and Forest B.
    2. Where are the users?
    3. Where is the ADFS service account seating?
    4. Are you using WAP servers?
    5. Is LifePortal a Windows Integrated Application or a claim based application?
    6. Is LiefePortal a Relying party Trust in ADFS?
    7. Is SharePoint a Relying Party Trust in ADFS?
    8. Is AD your only Claim Provider Trust for these applications?
    9. What make you think that you should do something with Kerberos Delegation?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, December 29, 2016 11:11 AM
  • Update?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, January 7, 2017 6:41 PM