6.1.6.2.2 TDO Roles in Authentication Protocols over Domain Boundaries

msdn link

For most network authentication protocols, if a client wishes to securely authenticate to a service residing in a foreign domain, it becomes necessary for the client and service domains to have some form of trust. Most trust systems in use today rely upon some form of key for trust validation.

TDOs play an important part in the storage and distribution of information used for trust validation between domains. Commonly used Windows network authentication mechanisms such as Kerberos ([RFC4120] section 1.1) retrieve information from TDOs that have been established between the client and service domains. Additionally, services using other protocols such as NTLM, Digest, and SSL Certificate Mapping use the Generic Pass-through Mechanism over the Netlogon Remote Protocol [MS-NRPC] to authenticate users from foreign domains. Establishing the Netlogon Secure Channel requires the use of information contained in TDOs. The format and storage locations for this information will be discussed later (section 6.1.6.9.1), including information on the usage for relevant authentication protocols.