I have two Windows 2003 security domains/forests, A and B, both controlled by different teams within my company. They are separated by a dual-homed ISA Server 2006, which is a member of domain A.
We have published a web site in domain B, which requires integrated authentication. However, the web server does not have access to the DC from domain A, and so cannot authenticate the users from domain A. There is a user account in domain B that has been created to be used by the ISA Server. [Please trust me, there are reasons for all of this!]
What we wish to do is manage access to the web site through a web publishing rule on the ISA Server. ISA would log and control access to the site from domain A, but then use the special ISA account to access the web site. Meanwhile, users from domain B would access the site as normal using their local credentials.
All sounds very straightforward.
However, the Authentication Delegation options in the web publishing rule do not allow you to implement this scenario. Either the credentials are forwarded through delegation (which requires trust between the domains), or they are not, in which case a site requiring authentication would fail.
It is frustrating, because in a web chaining rule, it is possible to specify the credentials that you want to pass on to the next node in the chain.
Does anyone have any experience of trying to implement a scenario like this, or have any suggestions of how I may achieve it?
Thank you for your reply. You have understood the scenario perfectly.
Your suggestion is a good one, and is indeed how we are doing it at the moment (second site with anonymous access limited by IP).
Exactly what I would like is an option in Authentication Delegation, saying "Always use these credentials". The website would then be able to authenticate this account, as it would be provisioned in Domain B.
By the sound of Jason's reply, though, this is not possible without a custom filter. Is this correct?