Conditions for Kerberos to be used over an External Trust

We have updated the TechNet article, Technologies for Federating Multiple Forests, to include the prerequisites for employing Kerberos over external trusts. Highlights of the updates from the article are:

  • The trust has to be created using the fully qualified domain name (FQDN). Kerberos referral fails if the FQDN is missing from the TDO. Windows Server 2003 Add Trust wizard does not create trusts with Windows 2000 and newer domains without DNS name resolution. For more information see, DNS and NetBIOS Name Resolution to Create External, Realm, and Forest Trusts
  • User name syntax is UPN and the UPN suffix is resolvable to a DC in DNS (implicit UPN)
  • UDP 389, UDP/TCP 88, and UDP/TCP 464 (password change requests) ports are open for the domain controllers in the user domain.
  • The server name in the trusting resource domain has to be the FQDN, and the domain suffix of the server name has to match the AD DS domain’s DNS FQDN.
  • Interactive logon across external trusts will attempt Kerberos. On Windows XP and Windows Server 2003, NTLM will be tried if Kerberos fails. Windows Vista and newer operating systems will not allow fallback to NTLM for interactive logon over external trusts.

For a complete list of the prerequisites for using Kerberos over an external trust see, Table 1 External Trusts vs Forest Trusts, in the article mentioned above.



Comments (8)

  1. Here is a summary on Kerberos Forest Search, and it also describes what you need in a SPN to make Keberos use the external trust:…/configure-kerberos-forest-search-order-kfso(v=ws.10).aspx

    You need a SPN with all three parts.

  2. J says:

    Hello, Thanks for the update, great. One thing however: the "update date" is still set to 2007.

  3. J says:

    One other thing: the following phrase implies it is only relevant to Windows 2000:

    "External trusts are used in Windows 2000 to enable trust between two domains that are in different forests". Perhaps this could be adjusted. Thanks.

  4. Thanks for the feedback.  I will work to get both of these items updated.

  5. A while ago i blogged about this as well. My conclusion then was that external trusts do not support Kerberos. The article is right here:…/ad-external-trusts-and-kerberos.html I got some references to MS docs/kb's and also a topic over at All concluded that external trusts do not support Kerberos. How come this now is changed? Because the requirements listered here aren't that extraordinary… So who are what made you guys bring this out, and why was it listed otherwise for so many years? Just kinda curious.



  6. John Griepentrog says:

    FYI – it appears that Kerberos over External Trusts can be done if all DCs are Windows Server 2008 R2 or above using the Use Forest Search Order setting in the Administrative Template for the KDC.

    More information is available on Jorge's blog –…/kerberos-authentication-over-an-external-trust-is-it-possible-part-6

  7. nechirvan says:

    hi, how are you?

  8. narsimha says:

    I have a webserver protectected by kerberos and expect to authticate users from windows7 clients in external trust domain. If I configure forest search order it allows correct SPN lookup. But I did not to useforest search order, how do I make sure that windows spengo composes a 3 part spn from the webserver url so that windows client will look up ticket from the correct KDC/realm ?
    Any ideas ?

Skip to main content