Very recently I followed a question at activedir.org (very interesting mailing list!) concerning whether external trusts support Kerberos. (topic @ activedir.org)
Microsoft isn't always as clear about it, but the following articles does state it: Kerberos is only possible when a forest trust is created: http://technet.microsoft.com/nl-be/library/bb727065(en-us).aspx
And some other references:
- http://blogs.technet.com/tkarch/archive/2007/03/19/kerberos-demystified.aspx
Access to resources between domains that are connected by an external trust requires Pre-Windows 2000 Compatibility. Because external trusts only support NTLM authentication, queries to a directory in a different forest are always handled as anonymous access. - http://support.microsoft.com/kb/830576
If you use an external trust NTLM is used as authentication protocol, no Kerberos involved. Kerberos authentication only works if the trust type is “Forest Trust”. - http://support.microsoft.com/kb/905687
External trusts only support Integrated Windows authentication (formerly called NTLM) for the user access.
Conclusion: External trusts only support NTLM authentication. External trusts are also known as "down-level trusts" or "Microsoft Windows NT Server 4.0 trusts."
3 Response to AD: External trusts and Kerberos
http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html
Hello
Thank you, thank you and thank you !
I was searching for 3 days and at last I found this article.
Great !
Great I could be of help. However since I wrote this article updated information got available at Microsoft.com. Whilst still not 100% clear, Jorge got it all covered and explained into the smallest detail possible! Head over to his series of posts to get it all right: http://jorgequestforknowledge.wordpress.com/2011/09/07/kerberos-authentication-over-an-external-trust-is-it-possible-part-1/ Make sure to read all posts, there's 6 of them.
Add Your Comment