Allow ArcGIS Server to Authenticate and Authorize users across an Active Directory Forest Trust

Idea created by pfoppe on May 21, 2014

    Many organizations use the Microsoft Active Directory (AD) product for users identity store (name, info, password), to authenticate those users credetials (verify they provided the correct credentials) and then subsequently authorize those users to perform various actions (based on role or group membership).  

    The Esri ArcGIS Server 10.2 release started working with multiple domains inside 1 AD forest.   I can have users in different domains authenticate and be authorized to GIS resources with 1 deployment of the Esri ArcGIS Server 'site'.  

    Large organizations often times build 'forest trusts' between different Active Directory deployments.  This allows organizations to authenticate and subsequently authorize users from a different corporate identity stores access to resouces within the organizations control without having to establish an Identity Life Cycle Management process with those other identities. 

    Many 3rd party products that use 'Windows Domain' based authentication/authorization schemes support Active Directory forest tust models out of the box.  It appears that Esri ArcGIS Server completly igores the trust.  The web-tier (web-adaptor) can be configured to authenticate users across an AD trust (for example, using Integrated Windows Authentication).  The ArcGIS Server that handels the authorization (what service the user is allowed access to) does not know what to do with users that are in the trusted AD forest.  The only alternative I see is to build a custom identity provider that queries all domains within each forest, which is not really an out of the box solution.  

    Thanks for the consideration.