December 3, 2015 at 4:04 pm
Hello,
I am hoping someone can confirm a scenario I am involved in.
User from an outside domain (DomainB) connects to computer on DomainA and using IE connects to a webserver, which is a front-end to SSRS running on another server. Both webserver and SSRS servers are members of DomainA. DomainA and DomainB are in separate forests with a two-way inter-forest trust between them.
Kerberos authentication works for users in DomainA, but not for those connecting from DomainB. Is "2 hop" Kerberos authentication not working/supported across a forest trust?
Thank you very much for your time.
Igor Akkerman
December 3, 2015 at 8:34 pm
Additional info: ran wireshark and determined that the error is "KDC_ERR_S_PRINCIPAL_UNKNOW". Looks like the domain to which a user belongs (DomainB) doesn't know about the SPN registered in the resource domain (DomainA). So far I have not been able to register SPN in the other domain. Keep getting "Call to DsGetDcNameWithAccountW failed with return value 0
x00000525".
December 4, 2015 at 3:30 am
Check out this article
_________________________________________________________________
"The problem with internet quotes is that you cant always depend on their accuracy" -Abraham Lincoln, 1864
December 4, 2015 at 9:56 am
I did, doesn't apply to our situation and the error is different - "SEC_E_WRONG_PRINCIPAL". Our issue is that the domain from the trusted forest doesn't know about the SPNs registered in the resource domain in another forest.
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply