Kerberos and Separate Active Directory Forests

Kerberos and Separate Active Directory Forests

Q: Can Kerberos work across separate Active Directory forests?

A: Yes. If a forest root trust is created between the separate Active Directory (AD) forests, then Kerberos authentication is possible between any domain in any forest because of the transitive nature of the forest root trust. It is very important that services such as DNS are also correctly configured for cross-forest authentication to correctly function. The forest level of both forests must be at least Windows Server 2003. See this Microsoft article for some key details.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.