Very recently I followed a question at activedir.org (very interesting mailing list!) concerning whether external trusts support Kerberos. (topic @ activedir.org)
Microsoft isn't always as clear about it, but the following articles does state it: Kerberos is only possible when a forest trust is created: http://technet.microsoft.com/nl-be/library/bb727065(en-us).aspx
And some other references:
- http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
Access to resources between domains that are connected by an external trust requires Pre-Windows 2000 Compatibility. Because external trusts only support NTLM authentication, queries to a directory in a different forest are always handled as anonymous access. - http://support.microsoft.com/kb/830576
If you use an external trust NTLM is used as authentication protocol, no Kerberos involved. Kerberos authentication only works if the trust type is “Forest Trust”. - http://support.microsoft.com/kb/905687
External trusts only support Integrated Windows authentication (formerly called NTLM) for the user access.
Conclusion: External trusts only support NTLM authentication. External trusts are also known as "down-level trusts" or "Microsoft Windows NT Server 4.0 trusts."
3 comments