Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.

Dear All,
Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
Number of forests: 2
1. First is with name of domain1.local
2. Second is with name of domain2.local
Trust Level: One Way trust from domain1 and domain2.
CRM Farm Details:
1.  1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
2.  1 SQL Server (CRMSQL-01.domain1.local)
3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
4. CRM site url: http://mscrminternal.domain.local/MSORG1
*I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
But once I tried to access for users of domain2. I am getting following error.
HTTP Error 401 - Unathorized: Access denied.
*If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
Regards
Gyan
GYAN SHUKLA

Hi Gyan,
I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
Then your last reply should be marked as answer.
If this issue still persists, pelase feel free to let us know.
Best Regards,
Amy 

Similar Messages

  • Kerberos authentication prompting for credentials in Sharepoint 2013

    Hello all,
    I think I’m a bit confused on what I should expect out of Kerberos and sharepoint.
    Following the steps located in
    http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ , I’ve setup Kerberos in my Sharepoint 2013 environment. My hope was that configuring kerberos authentication would solve the issue of users being prompted for
    credentials when they access sharepoint. I know that one way to address this problem is to tweak the IE settings by adding the site to the local intranet or trusted zones, but am I wrong in thinking that Kerberos should also authenticate the user on to the
    site? Here’s my situation:
    Previously, I had our sharepoint URL in the trusted zone and had IE set to pass my credentials through, and that worked. After configuring Kerberos, I can see the tickets on my system using klist and the security log on our web front-end shows that I authenticated
    using Kerberos.
    However, if I then remove the sharepoint URL from the trusted zone in IE, I still get prompted for credentials. If I cancel the credential prompt, I get a 401 error and the security log on the server shows a NTLM login attempt.
    As soon as I put the URL back in the trusted zone, I can access the site and the server log shows a Kerberos authentication.
    I’m I wrong in thinking that if Kerberos was working properly then I shouldn't need to have the URL in the trusted zone?
    Thanks
    Bill

    Thanks for the quick reply, Alex. At least it’s good to know it appears to be working as designed.
    Thanks again,
    Bill

  • Real time collaboration issue after Kerberos authentication setup

    Hi,
    We are using SPNego (kerberos) authentication for our portal (EP 7.0 SP10). When user clicks on log off link, he comes back to the portal home page again so there is no way for the user to log off from the portal. I don't see this as a problem for the users who are not having access to collaboration. But for the users having access to collaboration, when they login to the portal second time (before expiry of the first login session which they couldn't close as log off is not working), they get warning stating
    "You are logged to the same portal already. Real-time collaboration capabilities will not be available in the current portal session until you terminate the other session and then restart this one by refreshing the browser or logging on again."
    How to resolve this?
    Helpful answers will be rewarded
    Regards,
    Chandra

    Most people set the logoff link to a URL which contains soem javascript which closes the browser.
    Paul

  • Kerberos Authentication Failure for POP3 After Upgrading to 10.6.5

    So I just upgraded from 10.6.4 to 10.6.5 and now Kerberos authentication for POP3 from Mail fails. Kerberos authentication for SMTP outgoing mail is just fine, it's only POP3 incoming mail that fails to authenticate. POP3 Kerberos authentication still works fine for the same account from another machine running 10.5.8. The mailaccess.log file contains the following:
    Nov 23 15:36:59 server master[423]: about to exec /usr/bin/cyrus/bin/pop3d
    Nov 23 15:36:59 server pop3[423]: executed
    Nov 23 15:37:00 server pop3[423]: accepted connection
    Nov 23 15:37:00 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
    Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
    Nov 23 15:37:01 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
    Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
    Nov 23 15:37:04 server pop3[423]: badlogin: FQDN [192.168.0.4] GSSAPI
    Nov 23 15:37:04 server master[52]: process 423 exited, status 0
    The server is running Mac OS X Server 10.4.11 and cannot be upgraded any further than as it is ancient hardware.
    Any thoughts?
    Cheers,
    Derek

    Makes perfect sense to me that ending one session by logging out enables him to begin a new session by logging back in. I give the young man credit for figuring out how to get around this deficiency in Parental Controls, as, deep down, I'm sure you do, too.
    If you can't trust him to stick to his agreed upon half an hour a day, you can always (threaten to) lock him out of the computer for 23.5 hrs/day using the Bedtime settings. ; )

  • Remotely adding a Kerberos Authenticated printer

    Hi there, I am deploying a printer Via MCX which works fine. however the machines are using an LDAP kerberos authentication setup. If i manually set kerberos on the machine using the following steps it works fine.
    1. Open the URL "http://localhost:631/printers" in Safari.
    2. For each printer you wish to share using Kerberos:
    3. Click the printer name in the list.
    4. Choose "Set Default Options" from the "Administration" pop-up menu.
    5. Click "Policies".
    6. Choose "kerberos" from the "Operation Policy:" pop-up menu.
    7. Click "Set Default Options".
     The problem i have is I can't do this on each machine manually.
    This setting is not held in the PPD for that printer. I have set the option, copied the PPD from /etc/cups/ppd and then created a new printer using this PPD but the option is not enabled. I can see that when you enable this option it is writing to and then deleting the following files
    /var/spool/cups/cache/printername.png
    /var/spool/cups/cache/printername.data.N
    /var/spool/cups/cache/printername.png-psHg
    /var/spool/cups/cache/printername.data I am sure this is what is setting the option but i can't see anything in lpadmin or lpoptions that would allow this to be set via the command line. Any Ideas?

    I have found the Apple whitepaper on Enterprise printing and this command is supposed to enable kerberos.
    However when you run it and then check through the CUPS interface kerberos is not enabled.
    first you get the queue name from this
    lpstat -a
    lpadmin -p printername -o auth-info-required=negotiate
    Now according to the white paper the process changed from 10.5 to 10.6
    I am wondering if anyone knows if things have changed from 10.6 to 10.7

  • Does a Kerberos authentication module exist?

    Does anyone know of a Kerberos authentication module for Portal Server? If not, can anyone think of any security implications that would suggest "rolling my own" would not be a good idea?

    No we don't have any kerberos auth module as a part of the product and you can develop your own using the auth api's.

  • SCCM 2012 - Network requirements for Client communication to primary in a Cross Forest Environment

    Hello, I have been trying to get some definitive answers on what network traffic is required between a client and a primary site versus a secondary in a cross forest scenario.
    Here is the scenario:
    Company A has an existing SCCM 2012 primary Site. Company B (Separate Forest) has now been brought in. One subnet on each side can route to each other and using that one subnet a two way forest
    trust has been setup. But the remote offices have IP address overlaps between companies. At some point in the future all assets on company B will be re-IP and brought over to Company A domain. But in the interim it would be nice to get SCCM cross forest clients
    working. Upgrading to a CAS model with two Primaries would not be preferred here as this is a temporary solution. 
    My questions are as follows.
    If a secondary site is deployed into Company B Forest/Network. I have seen people online elude to that clients will still need to communicate to the Primary located at Company A, even though they
    are assigned to a secondary on Company B’s network. Is this true? Is there any workarounds for this? Is a NAT back to the primary acceptable, or is reverse lookup required?
    Will the Primary need to communicate directly to the clients in Company B? If this is in fact a requirement, then this would be a show stopper. But if its only needed for things like client pushes,
    then we could work around it.
    Thanks

    "But the remote offices have IP address overlaps between companies"
    Technically, this is unsupported because clients, depending upon your boundaries, will not be able to find a local DP since they use IP addresses for this. The only way to work around this is to use AD Site boundaries.
    "though they are assigned to a secondary"
    Clients are *never* assigned to a secondary site -- that's not what secondary sites are for. Yes, clients require communication with an MP in the primary site where they are assigned. There is no way to change this or work-around this except to put
    an MP from the primary site closer to those clients and use the new MP affinity option in R2 CU3.
    Reverse lookups are only used to verify names by applications that wish to have this type of functionality (which are very few in number) and have nothing to do with true network traffic. NATing is an issue for the reason I gave above -- DP location.
    Remote control, client push, and WoL won't work either because there is no way for the traffic to reach the destination behind the NAT.
    All client *agent* communication in ConfigMgr is client initiated in ConfigMgr (remote control, client push, and WoL -- as just mentioned -- are sort of exceptions to this but they don't really involve the client *agent*.)
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • How to setup Oracle OCI Driver with Kerberos Authentication in Eclipse

    Hello I am trying to setup a connection to Oracle Server with kerberos authentication.
    I am able to connect using SQL Developer but it seems impossible to do the same through the eclipse plugin any pointers?

    Currently there is no support for Kerberos authentication on OEPE DB support. I'll open an enhancement request.

  • What are the recommended methods to keep CA Certs and CRLs updated in Account Forests for a Cross Forest Enrollment implementation?

    Hello,
    We have 1 resource Forest and multiple account Forests. We've reviewed the Cross-Forest Cert Enrollment with Windows Server 2008 R2 doc and followed steps 8 and 9 under the 'Deploying AD CS for Cross Forest Cert enrollment' regarding publishing
    the root CA Cert and Enterprise CA certs.  We run PKISync.psi to copy objects from the resource to the account Forest, and understand Certs and CRLs are not copied from the resource to the account Forests.  We are trying to figure out the best way
    of keeping the Root and SubCA Certs and CRLs updated in the account Forests.
    1. Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
    2. Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
    3. Any other suggestions/references regarding best practices on how to do this?
    Thanks for your help! SdeDot

    > Do folks simply copy the Root and SubCA Certs/CRLs from the resource forest into the account forests when they are renewed and then run the associated -Dspublish commands in the account forest?
    yes. Though, we do not bother with CRL copy as it published to HTTP location only.
    > Any way for a CRL to be checked in the resource forest from a cert on a computer in the account forest?
    I would suggest to not use LDAP URLs in favor to HTTP.
    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell File Checksum Integrity Verifier tool.

  • AD authentication for domain in another forest- XI R2

    Situation:
    - Windows 2003
    - BOXI R2 (tomcat)
    - 2 domains (in different forest)
    - trust between the two domains
    We have succesfully installed the AD-authentication plugin for domain1.
    To work around for domain2, we've added users from domain2 inside a group of domain1, but these users are not shown inside the CMC when we import the AD-group.
    Can we use the LDAP plugin for the domain2? What should be the procedure?
    If found a similar question on this forum from one month ago, where they were talking about BO3 SP1, which will support multiple forest. But not really a solution the could help me out now.
    Please advise
    Thanks in advance!
    Quinten

    In XIR2 we cannot map in groups that contain users from 2 different forests. To work around this we could use LDAP to AD, but there are a few limitations.
    If you want to upgrade the version that should contain this will hopefully be out by the end of this month XI 3.1 or XI 3.0 integrated SP1.
    There should be some notes on using LDAP to AD in the SMP as well as it's documented in the [XI 3.0 Admin Guide|http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf]
    Regards,
    Tim

  • Any document explaining Risks involved in assigning "Delegation Permission" to a computer for Kerberos Authentication

    Need SSO on CRM 2013. As per documents assigning Delegation Permission in Kerberos Authentication is mandatory to achieve SSO in CRM 2013.
    Before doing that need to evaluate risks in doing so. Any help or document for the same is helpful.
    Devesh

    Hi Devesh,
    “The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
    intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
    Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
    Quoted from this article below:
    Using Kerberos for SharePoint Authentication
    http://technet.microsoft.com/en-us/magazine/ee914605.aspx
    From my point of view, as long as the intermediary account can be trusted, then it is safe.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Configuring Kerberos authentication for SSRS in native mode - SSRS 2008 R2-2012

    Hi,
    I've a SSRS native mode installation on a server and a SSAS installation on another server.
    In order to configure the Kerberos authentication for SSRS native mode, I need to register one SPN for the report server service, one SPN for SSAS service and to configure SSRS to use the negotiate authentication type, isn't it?
    Thanks

    Hi pscorca,
    If we have applications that only use Kerberos authentication and we are using RSWindowsNegotiate AuthenticationType, we must create a Service Principal Name (SPN) for the Report Server service if we configure it to run as a domain user account.
    Before setting up constrained delegation, we must register a
    Service Principle Name (SPN) for the Analysis Services instance. We will need the Analysis Services SPN when configuring Kerberos constrained delegation for middle tier services.
    There is a document about Enabling Kerberos Authentication for Reporting Services, you can refer to it.
    http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
    Hoe this helps.
    Regards,
    Alisa Tang
    Alisa Tang
    TechNet Community Support

  • Error=49 from the LDAP server for GSSAPI Kerberos authentication

    I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
    Steps :
    bash-2.05# kinit tester1
    Password for [email protected]:
    bash-2.05#
    When I do ldapsearch , I am getting following logs on the server :
    tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
    [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
    [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
    [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
    [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
    [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
    [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
    [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
    [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
    [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
    [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
    I am using default Identiy Mapping and the ldif file looks like this :
    dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
    objectClass: dsIdentityMapping
    objectClass: nsContainer
    objectClass: dsPatternMatching
    objectClass: top
    cn: default
    dsMatching-pattern: ${Principal}
    creatorsName: cn=directory manager
    createTimestamp: 20070220045812Z
    dsMatching-regexp: uid=(.*)
    dsSearchBaseDN: ou=people,dc=test1,dc=com
    dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
    modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
    t
    modifyTimestamp: 20070221082740Z
    Following is the snoop for LDAP on the server :
    bash-2.05# !snoop
    snoop -v port 389 | grep LDAP
    Using device /dev/eri (promiscuous mode)
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP: [OctetString]
    LDAP: *** NOT PRINTED - Too long value ***
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: SASL Bind In Progress
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL Credentials [7]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: SASL Bind In Progress
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL Credentials [7]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP: [OctetString]
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: 1
    LDAP: Invalid Credentials
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL(-1): generic failure:
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation [APPL 2: Unbind Request]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    Please help me on how to fix this issue.
    Thanks,
    Radhakrishnan

    I did reply on the other thread of yours...
    Ludovic

  • Kerberos Authentication for EP 7.0 Portal

    We are implementing Kerberos Authentication on our EP7 Portal. In our landscape we have
    2 main domains (US & INTL). In each of the domain we have several domain controllers (more than 10 each). We had the following queries:
    1) We have a mix of domain controllers running on win 2000 and win 2003. Will this cause any issue with the SPNego configuration?
    2) Since we have more than 10 DCs in each domain do we need to add all the DCs as KDCs in the step 2 of SPNego wizard?
    System Details
    1) Portal Version à EP7 SP13
    2) Operating System à SunOS (sparcv9) 5.9
    3) LDAP à MS ADS
    4) DB à Oracle 10.2.0.2.0 - 64bit
    Thanks.

    Hi Lisandro,
    For Q1:  I don't think there should be a problem with the mixture of DCs types.
    For Q2: You only need to configure one DC in the wizard (a W2003 server may be the best choice). This is just the DC that the wizard talks to during configuration.
    Hope this helps,
    Darren

  • Regarding Kerberos authentication for webservices.

    Hi,
          I need to use kerberos authentication for my receiver webservice.  I am working in PI7.1 . Which adapter I can use for this ( WS-RM adapter or SOAP adapter) and How to configure it for kerberos. I mean, which value of authentication parameter refers to kerberos authentication.
    Regards,
    Reyaz hussain

    Hi Reyaz,
    To tell you frankly i never come across this kerberos protocol but since you would like to use there is certainly a chance after the launch of PI 7.1. The launch has Opened the Door to the World of Web Services Reliable Messaging.  "The Integration Directory enables you to easily configure scenarios where the Integration Server acts as a message hub between WS-RM-enabled applications and any other application or technical system. Thus, you can configure scenarios where either a Web Service client calls the Integration Server and the message is then routed to any other application, or the other way around where any application calls a Web Service provider via the Integration Server. In the Integration Directory you can do the complete configuration of the Integration Server inbound or outbound processing."
    https://www.sdn.sap.com/irj/scn/wiki?path=/display/profile/2007/07/25/new+news&focusedcommentid=44360
    Regards
    joel

Maybe you are looking for