ADFS WAP Cross Domain constrained delegation

Peter Holland



I have an interesting scenario and i'm not entirely sure on whether this will actually work or not, my current theory is not.

Also, apologies if this isnt the correct community for WAP discussion, couldnt see anywhere else appropriate


WAP and ADFS in Domain A in Forest 1, users in Domain B in Forest 2, however there is a direct domain trust rather than a forest trust.


Can you do KCD cross domain, to another forest, without a forest trust?


Reading through the documentation for WAP KCD everything states forest trust, reading through the documentation for S4u2Proxy it seems like it maybe should work, but is a little wooly about the path of the kerberos token and the flow of trust.


Any input appreciated, especially if it comes before i have to lab it.





Related Conversations