Q: Can Kerberos work across separate Active Directory forests?
A: Yes. If a forest root trust is created between the separate Active Directory (AD) forests, then Kerberos authentication is possible between any domain in any forest because of the transitive nature of the forest root trust. It is very important that services such as DNS are also correctly configured for cross-forest authentication to correctly function. The forest level of both forests must be at least Windows Server 2003. See this Microsoft article for some key details.
0 comments
Hide comments