New Active Directory Documents for IT Pros
We have updated the TechNet article, Technologies for Federating Multiple Forests, to include the prerequisites for employing Kerberos over external trusts. Highlights of the updates from the article are:
For a complete list of the prerequisites for using Kerberos over an external trust see, Table 1 External Trusts vs Forest Trusts, in the article mentioned above.
Hello, Thanks for the update, great. One thing however: the "update date" is still set to 2007.
One other thing: the following phrase implies it is only relevant to Windows 2000:
"External trusts are used in Windows 2000 to enable trust between two domains that are in different forests". Perhaps this could be adjusted. Thanks.
Thanks for the feedback. I will work to get both of these items updated.
A while ago i blogged about this as well. My conclusion then was that external trusts do not support Kerberos. The article is right here: setspn.blogspot.com/.../ad-external-trusts-and-kerberos.html I got some references to MS docs/kb's and also a topic over at ActiveDir.org. All concluded that external trusts do not support Kerberos. How come this now is changed? Because the requirements listered here aren't that extraordinary... So who are what made you guys bring this out, and why was it listed otherwise for so many years? Just kinda curious.
FYI - it appears that Kerberos over External Trusts can be done if all DCs are Windows Server 2008 R2 or above using the Use Forest Search Order setting in the Administrative Template for the KDC.
More information is available on Jorge's blog - jorgequestforknowledge.wordpress.com/.../kerberos-authentication-over-an-external-trust-is-it-possible-part-6
Here is a summary on Kerberos Forest Search, and it also describes what you need in a SPN to make Keberos use the external trust:
You need a SPN with all three parts.
hi, how are you?
I have a webserver protectected by kerberos and expect to authticate users from windows7 clients in external trust domain. If I configure forest search order it allows correct SPN lookup. But I did not to useforest search order, how do I make sure that windows spengo composes a 3 part spn from the webserver url so that windows client will look up ticket from the correct KDC/realm ?Any ideas ?