How to use SSPI to validate a domain user in another forest

[xinyu]

I have a little program using SSPI to validate client's
credential(domain\userID and password).
This program works fine if the client is the domain user in the same
forest as where the program is running.
eg, this program is running in domain A.test.com,
if the client is the user in domain B.test.com(domain A and B are in
the same forest ), everything works fine no matter this program is
running as a user or local system account.

However, when I try to verfiy the credentials for the client in another
forest(eg, client user is in domain C.test.org ( A.test.com and
C.test.org are in two seperate forests and no trust relationship is set
up for the forest )
I can use SSPI to verify the client's credential, however, when I
impersonate, we find the client's identity is ANONYMOUS logon, which is
wrong. But, if running this program as local system account, I can get
the clien't identity correctly.

Does anyone know why I get "ANONYMOUS logon" and how to solve it?
I have being trying for a while, but could not figure out the reason.

Any help is greatly appreciated.

 

[Roger Abell]

The forests have no trust.

In attempting impersonation you are asking one realm to trust the
statement from the other realm as to with whom you are interacting
(attempting to impersonate), but you do not trust that other realm to
make such a statement. Anyway, without a trust the credentials of
the external realm would not be recognized and would be unusable
in the "impersonating" realm.

 

[xinyu]

Thanks Roger for the response.

However, if the program is running as local system account, I can get
the client's identity correctly and can get the group membership from
the token.

My question is:

Why running as local system account works?