I am working with the following scenario - cross forest dual hop Kerberos authentication to SQL SSRS.
There is a two-way forest trust between forests. User in Forest A is logging in to computer in Forest B. From that computer, Forest A user is browsing to a web server (middle tier) which is delegated to impersonate this user to the back-end SQL reporting services machine. All resources are in Forest B.
What we are seeing is that Kerberos authentication work for users in Forest B, but not in Forest A. Wireshark shows this error:
KDC_ERR_S_PRINCIPAL_UNKNOWN
Looks like the domain in Forest A cannot determine the SPN records registered in Forest B and I cannot figure out if this is supported across forest trust in 2008 R2. Can someone kindly point me in the right direction?
Thank you.