Hi, Trying to configure resource based KCD for the following scenario: Account and resource forest/domain: IAMTEC.NET·        Contains users accounts·        Constains resources running through service accounts·        1x RWDC = W2K12R2·        Server with Kerb Apps = W2K12 (in same site as RWDC)·        Service accounts of windows apps have SPNs and WAP computer account in other forest is allowed to access resources through “msDS-AllowedToActOnBehalfOfOtherIdentity”·        ADFS = W2K12R2·        Trusts IAMDMZ.NET with forest wide authN DMZ forest/domain: IAMDMZ.NET·        Contains WAP running Network Service (default)·        1x RWDC = W2K12R2·        1x RODC = W2K12R2·        Server with Kerb Apps = W2K12 (in same site as RODC) (computer creds cached on RODC)·        Web Application Proxy = W2K12R2 (has SPNs)·        Trusts IAMTEC.NET with forest wide authN The idea is to configure Select AuthN and enable a firewall between the RWDC and the RODC and WAP, However, currently firewall allows any-to-any and select authN is NOT enabled. Forest wide authN is enabled on both sides of two way trust. No W2K8(R2) DCs! (due to https://support.microsoft.com/en-us/kb/2665790) The kerberos applications in IAMTEC.NET work perfectly when being accessed with accounts from IAMTEC.NET and when accessed from computers from IAMTEC.NET On external client (extranet or internet) accessing app through Web Application Proxy:·        I see ADFS HRD·        I have forms based authN (which succeeds!)·        Then I get: HTTP 500 Internal Server Error  On WAP I see:·        Event ID 13019: Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package  (0x8009030e)·        Event ID 12027: Web Application Proxy encountered an unexpected error while processing the request. Error: No credentials are available in the security package  (0x8009030e).  In Network trace from WAP I see (with RODC in the mix):·        KerberosV5:KRBERROR  - KDCERRPOLICY in the TGS response from the RODC in IAMDMZ.NET (right after the TGS request for the SPN à Realm: IAMDMZ.NET Sname: HTTP/DELEGCONFIG.IAMTEC.NET) (HTTP/DELEGCONFIG.IAMTEC.NET is on a service account in the account and resource forest)  In Network trace from WAP I see (withOUT RODC in the mix):·        KerberosV5:KRBERROR  - KDCERRPOLICY in the TGS response from the RWDC in IAMDMZ.NET (right after the TGS request for the SPN à Realm: IAMDMZ.NET Sname: HTTP/DELEGCONFIG.IAMTEC.NET) (HTTP/DELEGCONFIG.IAMTEC.NET is on a service account in the account and resource forest) With non-resourced based KCD (KCD old-style) these errors basically meant that SPNs and/or delegation were not configured on WAP computer account (as described in https://jorgequestforknowledge.wordpress.com/2014/12/07/web-application-proxy-with-kerberos-constrained-delegation-kcd/, this was everything in one single domain) My opinion on this matter is that resource based KCD is not being triggered and it tries to use old-style KCD, which of course fails as the impersonating account (WAP computer account in IAMDMZ.NET) is not the same AD domain as the resource account (service account in IAMTEC.NET)  This should work, but it looks I’m missing somethingHas anyone successfully configured resource based KCD in a forest structure like this? Anyone have any hints on next steps? Thanks! Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green