We have an application that uses Active Directory for its Authentication. This includes Kerberos multi-hop delegation which the application requires. It consists of a WinForms client, connecting to a set of Web Services via WCF 4.0, hosted under IIS 7.5.

Normally, this all gets installed on our Customers own hardware and integrates with their AD. But we have recently set the Web Services running on private cloud (accessible via IPSec VPN) with its own AD implementation, and where we can set-up a one-way Active Directory Trust between our AD and the customers AD then all is well, and the application works as designed.

However, we have a few customers who are running their AD on Small Business Server, and therefore it is not possible to set-up the trust.

Given the following constraints…

• A major re-write of the application to not use AD/Kerberos is not a viable option.
• Forcing the Customer to move off SBS to a full Windows Server AD is not a viable option.

… I am looking at ways to solve this problem that require the minimum changes to the core Application as possible.

I can see 3 options that seem immediately obvious:

• Active Directory Certificate Services – Clients use a certificate issued from our AD which is linked to an AD account in our domain. But unsure of whether this would allow the Kerberos Delegation.
• Active Directory Federation Services – This sounds like it also could do the job, but we have never used it before.
• Active Directory Lightweight DS – If the customer was to install this and somehow link it to their AD and we set-up the trust to the LDS instance, could that work? Again, we have never used AD LDS before.

Does anybody have any experience of this situation or something similar?

Does anyone have any recommendations as to which of the 3 routes to look down first?

Does anyone have any other alternatives?