Version for print

Why can't I create a Kerberos-based trust between two domains in different forests?

When you manually create trusts, you can select one of two authentication protocols.

Kerberos—The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest.
NT LAN Manager (NTLM)—The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol.

A transitive Kerberos-based trust links domains WITHIN a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn't available for cross-forest trust relationships. This limitation isn't a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for cross-forest trusts.

1st Security Center	Internet Security Tweak Pro	Security Officer	Internet Explorer Security	Dark Files	Security Department

Security FAQ

Windows Privacy Tools - http//www.privacywindows.com