We have an ASP.NET web application (client = Silverlight) that is accessing resources on other servers (double hop). Resources are: SharePoint-Lists and files on a file server. The server application is accessing these resources with current user credentials (Kerberos delegation).
If the user is logged into the domain of the resource servers, all is fine.
But now the users have to move to a new domain. All servers will stay in resource domain.
Users logged into the new domain get errors because access to resources in resource domain is denied.
In IE Integrated authentication is active. The site has been added to zone "trusted sites"
To analyze the problem I made a network analyzer recording:
1. IE asks the domain controller in new domain to get a Kerberos Ticket for the web server (resource domain).
2. The domain controller (new domain) is returning error "Principal Unknown" (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
3. IE is authenticating via NTLM to the web server (resource domain)
According to Ken Schaefer's blog the domain controller should not return "principal unknown", it should return a referral to the other domain controller (resource domain).
I asked the network admin to check if name suffix routing for *.resourcedomain is active in the trust settings of new domain. He answered that name suffix routing is only necessary for forest trusts but we have only a domain trust.
Can anybody help me to get Kerberos authentication running in this cross domain scenario?