Asked By Deane
03-May-08 08:41 PM
My client has three AD forests, each with external trusts to the
others.
He has an IIS Web server in Forest A, which contains Domains A and B.
We have revoked anonymous access to this server, as we need to match
inbound requests with AD users. This is working fine for Domains A and
B (those in the same forest) -- they can authenticate to the Web
server, access files, and the request comes in under their personal AD
accounts.
However, users in Forest B (which contains Domain C) and Forest C
(which contains Domain D) cannot authenticate to this IIS server. They
are prompted for credentials which are never accepted.
It's not an NTFS problem -- we have ensured these users have file-
level permissions to all the files of the Web site.
So, the question is: can an IIS Web server authenticate users from
different AD Forests? If so, is there some magic setting to allow this
that I'm not aware of?