Hi all,
Is there any relation between a FQDN that is used in a SPN and suffix routing that might be configured between two forests with the using the same 'domain' suffix as was used in the FQDN on the SPN ?
Forest trust between forestA.com and ForestB.com; ForestB.com wil get a suffix registered for company.com and suffix routing will be enabled. (new user are created in ForestB with the UPN suffix @company.com)
However in forestA.com there are eg. resources with constrained delegation via service-accounts that use a SPN like HTTP\server.company.com which exist for services (eg webserver) in ForestA only.
For all I know, that last SPN part will be like a FQDN, or is this involved in the suffix-routing as well ?
The whole Kerberos ticketing would be based on http/server.company.com@forestA.com and would therefore not be routed to ForestB.com ? Or am I missing something?
TIA