How are the clients authenticating? - Ken Schaefer

How are the clients authenticating?

If using Kerberos, then if you have an external trust, Kerberos referrals
will not work cross-Forest - you need to use a Forest trust instead.

Cheers
Ken

Can IIS authenticate users from external AD forests? - Deane

My client has three AD forests, each with external trusts to the
others.

He has an IIS Web server in Forest A, which contains Domains A and B.
We have revoked anonymous access to this server, as we need to match
inbound requests with AD users. This is working fine for Domains A and
B (those in the same forest) -- they can authenticate to the Web
server, access files, and the request comes in under their personal AD
accounts.

However, users in Forest B (which contains Domain C) and Forest C
(which contains Domain D) cannot authenticate to this IIS server. They
are prompted for credentials which are never accepted.

It's not an NTFS problem -- we have ensured these users have file-
level permissions to all the files of the Web site.

So, the question is: can an IIS Web server authenticate users from
different AD Forests? If so, is there some magic setting to allow this
that I'm not aware of?