I've been playing around a bit with the following setup:
2 domains with a two-way forest trust in between. Let's call them "Resources" and "Clients". Applications holds both the web application and the UAG server. Clients holds the users.
On UAG I created two authentication servers: resources and clients.
I've got the web application published, and it's configured for Kerberos Constrained Delegation.
Now what I've achieved:
Logging on with a Resource user succeeds fine (both for the Portal and the Web App)
Logging on with a Clients user succeeds for the Portal but fails for the Web App
Logging on with a Clients user in UPN format AND selecting Resource as authentication server succeeds (both for the Portal and the Web App)
Any idea how this comes? What I would like to achieve is Kerberos Constrained Delegation for users in the trusted forest (domain). It seems to work, but it's really odd I have to select the Resource authentication server.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.