I've been playing around a bit with the following setup:
2 domains with a two-way forest trust in between. Let's call them "Resources" and "Clients". Applications holds both the web application and the UAG server. Clients holds the users.
On UAG I created two authentication servers: resources and clients.
I've got the web application published, and it's configured for Kerberos Constrained Delegation.
Now what I've achieved:
- Logging on with a Resource user succeeds fine (both for the Portal and the Web App)
- Logging on with a Clients user succeeds for the Portal but fails for the Web App
- Logging on with a Clients user in UPN format AND selecting Resource as authentication server succeeds (both for the Portal and the Web App)
Any idea how this comes? What I would like to achieve is Kerberos Constrained Delegation for users in the trusted forest (domain). It seems to work, but it's really odd I have to select the Resource authentication server.