MicrosoftHi together,
just a small update on my further tests, as soon as you have set up a BI-directional trust between the bastion and the resource forest and additionally granted the users the "allow2authenticate" right on the computer objects in the target forest (also necessary if forest-wide authentication instead of selective authentication is activated in the target forest), the interactive logon to the target servers in the resource forest works.
The allow2authenticate rights can at least also be granted to the user via a shadow principal in the bastion.
The problem with this is that you do not want a bi-directional trust to your bastion forest (even if it is secured with selective authentication on the bastion side).
The only question that remains is whether this setup increases the security of the ESAE by using the authentication policies and Kerberos Amoring from the bastion forest or whether it reduces the security by requiring the bi-directional trust to the bastion forest (also with selective authentication).
Thanks for the hint regarding the interactive logon. Using administrative tools directly without interactive logon from servers in the bastion is working without the bi-directional trust.
Henry
