In this scenario I had another domain with Forest trust and I faced the error when logging in to SharePoint site with a user account from that domain.
Following is the error message I got from ULS
SPSecurityContext: Could not retrieve a valid windows identity for username 'Following are the checkpoints' with UPN ' '. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied
- Relevant SPN entries are in place : Done
- Service account is enabled for delegation : Done
- Name suffix is enabled for routing : Gotcha!!
- Log in to Domain Controller
- Navigate to Active Directory Domains and Trusts. Go to Properties & Trusts tab
- Select the relevant domain name & click on Properties.Then navigate to Name Suffix Routing Tab
- Enable it
It resolved the error for me!
