Most of you guys have implemented the Internet facing MOSS 2007 environment with two different domains(i.e, one is least trusted Extranet domain and another one is intranet domain). So the TRUST level between Extranet and Intranet Domain is “External One Way” trust as shown in following figure. This could be designed to implement a Secure MOSS 2007 to avoid any hacker calls from extranet.
But in-terms of authentication, this would work pretty well for NTLM authentication, but, will not work for Kerberos authentication. In order to implement a Kerberos Authentication with this environment/farm, there is a Forest Two-Way trust required to exchange the delegation between two different domain(i.e., Extranet and Intranet Domains).
We had similar situation as described above, the above farm/architecture works pretty good for NTLM but when we are planning to switch back “Kerberos”, it got failed as “The request failed with HTTP status 401: Unauthorized”. We investigated the network traces using NETMON, we saw LOT of HTTP, KERB, NTLM/NLMP/SPNEG Authorization calls, then we forced to use KERBEROS authentication using cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders “Negotiate” – Still no luck!
Finally found that HTTP response from SQL back-end server to WFEs are empty SOAP messages. After that we temporarily removed the two WFEs and modified the DNS entry pointing to central administration server. It means that we are removing the Extranet Domain from Farm. This time we are able to see the SOAP response coming from SQL-Server to Central Administration MOSS Server. We checked with Microsoft Supporting Team, they were not giving the solid answers that “Forest Two-Way Trust” is MANDATORY between Extranet and Intranet Domains. They said may or may not be required a Two-way trust between two domains for SharePoint Implementation.
When we digging into MSDN article about this issue and we found the following article,http://msdn.microsoft.com/en-us/library/ee384252.aspx – It states as follows:
• If the customer has more than one domain, verify that the SharePoint and Reporting Services service accounts and the user accounts accessing SharePoint are in domains that have a two-way trust between them. If there is only a one-way trust, there will be problems authenticating users and resources from both domains.
So it is clearly said that, we need to have a “Forest Two-way trust” between Extranet Domain and Intranet Domain in order to work with Kerberos in MOSS 2007 environment. Please be keep this in your mind when you are designing the internet faced MOSS 2007 with Kerberos Implementation
Hope this helps!