So I had SSO working in a Forest Trust scenario, but all the resources were on one side.
I have three domains, two trust each other, and the third (external) trusts the other two. All the resources were in external, except for some OWA servers in each of the other two realms.
I tried to add a web server into one of the internal domains and I am having some problems.
It seems that logging in causes some weirdness, because even though I'm logged into one realm and I go to access another resource that I should have access to, I either get a login prompt (sometimes for another realm, sometimes the same) or I get "Attempted to perform an unauthorized operation"
I tried removing the Forest Trust from my ADFS trusts. That hasn't seemed to help any.
What are the differences or pros and cons of "to forest trust or not to forest trust" I know that it has been recommended not to use them, but in my case it will work, or does the trust have to be two way for it to work?
What are the issues you run into when one partner is a resource for another and vice versa, or am I just getting the ADFS trusts wrong?
I'm also having trouble finding a good resource that explains the UPN suffixes, that might be the cause of my problems now that I have removed the forest trusts.