Conditions for Kerberos to be used over an External Trust

We have updated the TechNet article, Technologies for Federating Multiple Forests, to include the prerequisites for employing Kerberos over external trusts. Highlights of the updates from the article are:

  • The trust has to be created using the fully qualified domain name (FQDN). Kerberos referral fails if the FQDN is missing from the TDO. Windows Server 2003 Add Trust wizard does not create trusts with Windows 2000 and newer domains without DNS name resolution. For more information see, DNS and NetBIOS Name Resolution to Create External, Realm, and Forest Trusts
  • User name syntax is UPN and the UPN suffix is resolvable to a DC in DNS (implicit UPN)
  • UDP 389, UDP/TCP 88, and UDP/TCP 464 (password change requests) ports are open for the domain controllers in the user domain.
  • The server name in the trusting resource domain has to be the FQDN, and the domain suffix of the server name has to match the AD DS domain’s DNS FQDN.
  • Interactive logon across external trusts will attempt Kerberos. On Windows XP and Windows Server 2003, NTLM will be tried if Kerberos fails. Windows Vista and newer operating systems will not allow fallback to NTLM for interactive logon over external trusts.

For a complete list of the prerequisites for using Kerberos over an external trust see, Table 1 External Trusts vs Forest Trusts, in the article mentioned above.