Ivanti File Director can be configured to support Kerberos Single Sign-on by using kerberos constrained delegation as per Constrained delegation support (Credential guard support)
One of the requirements for this is that if the connecting users originate from another forest, a 2-way transitive forest trust must be configured. This knowledge article provides further details as to why this is required.
The File Director appliance is not domain-joined, however, where Kerberos SSO is used, it is configured with a pre-authentication account which must be in the same domain as the file server(s) that will host the map points.
When a user logs on from another forest, the multi-realm constrained delegation process where a 2-way transitive forest trust is in place is as follows:
1. The File Director appliance contacts its Ticket-Granting Server (TGS) which is the KDC (Key Distribution Centre) for the domain hosting the pre-authentication account specified in the Kerberos settings (Realm A). It requests a Ticket-Granting Ticket (TGT) for the TGS in the end user's realm (Realm B)
2. The TGS in Realm A returns a cross-realm ticket to the TGS in Realm B
3. The File Director appliance uses this cross-realm TGT to make an S4U2Self request to the TGS in Realm B
4. Realm B creates a PAC (privilege attribute certificate containing user authorisation information) and returns it in a TGT referral to the File Director appliance
5. The File Director appliance uses this TGT referral to request a service ticket for itself from the TGS in Realm A on behalf of the user in Realm B
6. The TGS in Realm A returns a service ticket which encapsulates the authorisation information provided by the TGS in Realm B
In the case where a 1-way outgoing forest trust is in place between Realm A and Realm B (Where users in Realm B can access resources in Realm A) Step 1-2 above will fail, as the TGS in Realm A does not have an authentication path to the TGS in Realm B
Note, this is a Microsoft / protocol limitation and not a direct limitation of File Director.