Why can't I create a Kerberos-based trust between two domains in different forests?

A. When you manually create trusts, you can select one of two authentication protocols.

  • Kerberos—The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest.
  • NT LAN Manager (NTLM)—The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol.

A transitive Kerberos-based trust links domains WITHIN a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn't available for cross-forest trust relationships. This limitation isn't a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for cross-forest trusts.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.