Answer to Q1:
- User1@domainB contacts its own domain controller (say, dc1.domainB) and asks for access to a resource in DomainA.
- KDC (dc1.domainB) don't find SPN of resource in Active Directory, because resource belongs to another domain/forest.
- dc1@domainB looks for SPN in global catalog, which in turn will check all trusts).
- If corresponding SPN and trust is found, GC returns a referral record back to dc1.domainB.
- dc1.domainB issues a referral TGT to access domainA KDC to user1@domainB.
- User1@domainB contacts domainA and present referral TGT.
- KDC in domainA checks if there is such SPN as specified in incoming TGT.
- KDC in domainA issues a service ticket to access particular resource in its domain to User1@domainB which includes SIDs the user belongs in domainA.
- User1@domainB presents service ticket to remote resource. Remote resource has a list of SIDs the user belongs to and determine access level.
Answer to Q2:
It is simpler form of scenario on Q1:
- User1 logs in to a workstation in domain
- KDC issues a TGT to User1 that contains user membership. This will include all domain local, global and universal groups.
- User1 contacts KDC to access server resource and presents a TGT obtained in previous step.
- KDC generates a service ticket to access requested resource and returns to User1
- User1 connects to server resource and present service ticket. Server resource will validate this ticket with KDC and then make decision on access level.
read this document for more and detailed information: https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview