There is domain U with users and domain R with resources. I need to run IIS application on machine from domain R on behalf of concrete user from domain U (this account from U is used for NTLM authentication by external web services).
I tried following test to simulate Prod environment: created two independent root domain forests, created outgoing trust relationship from domain R to domain U, but to achieve success I enforced to create incoming trust relationship in domain U using shared password (On test environment I have this possibility but I haven't on PROD.) Below is configuration of outgoing trust relationship I hoped will solve the problem but it didn't:
This domain: R Specified domain: U Direction: Outgoing: Users in the specified domain can authenticate in the local domain. Trust type: External Transitive: No Outgoing trust authentication level: Domain-wide authentication. Sides of trust: Create the trust for this domain only.
Is it possible and How to establish one way outgoing trust relationship for resources of domain R without any approvals in domain U with users? That is domain U should not be aware about such trust relationship. On test environment I have possibility to take action in AD of domain U but I havn't any credentials to establish trust on PROD. I think this should be plausible - If I trust some person to do something with my resources why should I obtain his approval. Maybe only because I create his responsibility to perform such activity.
