Configuring IIS for cross-forest kerberos authentication

Question

In my environment I have two separate forests FA.COM and FB.COM and two child domains DA.FA.COM and DB.FB.com. There is no forest trust but two-way external trust between DA.FA.COM and DB.FB.com.

I have an IIS server (IIS8.5 on Windows 2012r2) in DB.FB.com and I followed the instructions here https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/ to configure Kerberos SSO for a static website in the IIS server and got it working for clients accessing from DB.FB.COM.

However I need to extend the access to allow users from DA.FA.COM logging into their client machines (also in DA.FA.COM) to access the static website (in DB.FB.COM) via Kerberos. Currently users and clients from DA.FA.COM are able to SSO but via NTLM instead of kerberos. (Note: I verify whether the SSO is working via Kerberos or NTLM by using both Fiddler and Klist to check)

My question is, if I gotten kerberos sso to work within that domain DB.FB.COM, do I need any further configurations on the IIS server to support cross-forest kerberos or is it a matter of configurations between the domain controllers in DA.FA.COM and DB.FB.com to support cross-forest kerberos?

Answer 1

This probably requires configuring the "Use forest search order" Group Policy under Computer Configuration > Adminitrive Templates > System > <Kerberos or KDC> on FA.COM with a value of FB.COM.

If I change the Kerberos one locally I am able to connect to a SQL Server instance in a different forest via Kerberos. Which I can easily test with SELECT CAST(CONNECTIONPROPERTY('auth_scheme') AS NVARCHAR(MAX)) AS auth_scheme.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh921473(v=ws.10) is where you can find more extensinve documentation.

Hopefully this is still useful to someone.