ADFS WAP Cross Domain constrained delegation

Peter Holland



I have an interesting scenario and i'm not entirely sure on whether this will actually work or not, my current theory is not.

Also, apologies if this isnt the correct community for WAP discussion, couldnt see anywhere else appropriate


WAP and ADFS in Domain A in Forest 1, users in Domain B in Forest 2, however there is a direct domain trust rather than a forest trust.


Can you do KCD cross domain, to another forest, without a forest trust?


Reading through the documentation for WAP KCD everything states forest trust, reading through the documentation for S4u2Proxy it seems like it maybe should work, but is a little wooly about the path of the kerberos token and the flow of trust.


Any input appreciated, especially if it comes before i have to lab it.





Related Conversations
ADFS 2016 & Multiple MFA providers
Chris Kincaid in Identity & Authentication on
0 Replies
ADFS 2016, Exchange Online, Office 365.
Robert Bollinger in Office 365 on
3 Replies
Multiple email addresses
MikeInTokyo in Office 365 on
1 Replies
EFS Files On domain Profile windows 10
Justn in Windows 10 on
2 Replies
Tenant/domain best practices for nonprofil with School
Jonas Back in Education on
1 Replies