Sdílet prostřednictvím

Conditions for Kerberos to be used over an External Trust

  • Článek

We have updated the TechNet article, Technologies for Federating Multiple Forests, to include the prerequisites for employing Kerberos over external trusts. Highlights of the updates from the article are:

  • The trust has to be created using the fully qualified domain name (FQDN). Kerberos referral fails if the FQDN is missing from the TDO. Windows Server 2003 Add Trust wizard does not create trusts with Windows 2000 and newer domains without DNS name resolution. For more information see, DNS and NetBIOS Name Resolution to Create External, Realm, and Forest Trusts
  • User name syntax is UPN and the UPN suffix is resolvable to a DC in DNS (implicit UPN)
  • UDP 389, UDP/TCP 88, and UDP/TCP 464 (password change requests) ports are open for the domain controllers in the user domain.
  • The server name in the trusting resource domain has to be the FQDN, and the domain suffix of the server name has to match the AD DS domain’s DNS FQDN.
  • Interactive logon across external trusts will attempt Kerberos. On Windows XP and Windows Server 2003, NTLM will be tried if Kerberos fails. Windows Vista and newer operating systems will not allow fallback to NTLM for interactive logon over external trusts.

For a complete list of the prerequisites for using Kerberos over an external trust see, Table 1 External Trusts vs Forest Trusts, in the article mentioned above.

Thanks!!

Comments

  • Anonymous
    January 01, 2003
    Here is a summary on Kerberos Forest Search, and it also describes what you need in a SPN to make Keberos use the external trust: technet.microsoft.com/.../configure-kerberos-forest-search-order-kfso(v=ws.10).aspx You need a SPN with all three parts.

  • Anonymous
    August 06, 2010
    Hello, Thanks for the update, great. One thing however: the "update date" is still set to 2007.

  • Anonymous
    August 06, 2010
    One other thing: the following phrase implies it is only relevant to Windows 2000: "External trusts are used in Windows 2000 to enable trust between two domains that are in different forests". Perhaps this could be adjusted. Thanks.

  • Anonymous
    August 09, 2010
    Thanks for the feedback.  I will work to get both of these items updated.

  • Anonymous
    August 12, 2010
    A while ago i blogged about this as well. My conclusion then was that external trusts do not support Kerberos. The article is right here: setspn.blogspot.com/.../ad-external-trusts-and-kerberos.html I got some references to MS docs/kb's and also a topic over at ActiveDir.org. All concluded that external trusts do not support Kerberos. How come this now is changed? Because the requirements listered here aren't that extraordinary... So who are what made you guys bring this out, and why was it listed otherwise for so many years? Just kinda curious. Regards Thomas

  • Anonymous
    April 19, 2012
    FYI - it appears that Kerberos over External Trusts can be done if all DCs are Windows Server 2008 R2 or above using the Use Forest Search Order setting in the Administrative Template for the KDC. More information is available on Jorge's blog - jorgequestforknowledge.wordpress.com/.../kerberos-authentication-over-an-external-trust-is-it-possible-part-6

  • Anonymous
    March 20, 2014
    hi, how are you?

  • Anonymous
    March 23, 2014
    I have a webserver protectected by kerberos and expect to authticate users from windows7 clients in external trust domain. If I configure forest search order it allows correct SPN lookup. But I did not to useforest search order, how do I make sure that windows spengo composes a 3 part spn from the webserver url so that windows client will look up ticket from the correct KDC/realm ?
    Any ideas ?