Domain Trust Kerberos Authentication

Netbios ports as listed for windows nt are also required for windows 2000 and windows server 2003 when trusts to domains are configured that support only netbios based communication.

Domain trust kerberos authentication. In order to setup kerberos for the site make sure negotiate is at the top of the list. It might also use ntlm which is also a provider in windows authentication. This enables the tgt to be used throughout the domain and presented to any dc in the domain. A kerberos principal name is structured in the format service hostname realm the service is generally a protocol such as ldap imap http or host.

Use this information to configure kerberos authentication in a multi domain environment. The following kerberos v5 authentication process occurs. In the outgoing trust authentication level local forest window select forest wide. A realm trust only uses kerberos v5 authentication.

Kerberos communication within a domain is pretty straightforward the domain kerberos service account is used to sign and encrypt every authentication ticket tgt. In general joining a client to a windows domain means enabling kerberos as the default protocol for authentications from that client to services in the windows domain and all domains with trust relationships to that domain. Kerberos clients typically use the host name or dns domain name for kerberos realm mapping. Ntlm is not used.

When the direction of the trust is from a non windows kerberos realm to an ad ds domain realm trusts ad ds domain the non windows realm trusts all security principals in the ad ds domain. If a trust to the target domain is found it compares the name suffixes listed in the forest trust trusted domain objects tdos to the suffix of the target spn to find a match. These different type of domain to domain trusts work well with kerberos authentication although each domain must have its directory configuration set up in the gcd and the application server must have ldap providers set up for each domain. The hostname is the fully qualified domain name of the host system and the realm is the kerberos realm to which it belongs.

3 enabling windows authentication doesn t mean kerberos protocol will be used. Kerberos is used as the preferred authentication method.