The following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of the book "Windows Server 2003 security infrastructures" written by Jan De Clercq. Click for the complete book excerpt series or purchase the book.
Logging on to Windows using Kerberos:
Multiple forest logon process
In Windows Server 2003, Microsoft has added additional information in the TDO account objects to enable interforest authentication traffic. Let's look at an example that shows how Windows Server 2003 uses the extra information stored in the TDO to route Kerberos authentication requests during a cross-forest resource access.
In the example (illustrated in Figure 5.19), a user that is logged on to the emea.compaq.com domain (the user and machine accounts are defined in emea.compaq.com) wants to access a resource located on a server in the us.hp.com domain. Both forests are at functionality level 2, and a bidirectional forest trust relationship has been set up between them. From a Kerberos point of view, the user is already logged on to the emea.compaq.com domain and has a valid TGT. The remote resource is identified using an SPN of the following format:
In this example the authentication requests will be routed as follows:
1. The user's machine contacts the local DC to request a Kerberos service ticket for the resource in the us.hp.com domain. The DC in emea.compaq.com cannot find an entry for the remote service in its local domain database and asks a GC server in the emea.compaq.com for help. The GC suspects (based on the DNS suffix) that the service is located in the hp.com forest, and it sends this routing hint to the DC and tells the DC to refer the user to a DC in the compaq.com root domain.
Figure 5.19 Forest trust authentication flow.
2. The user's machine contacts a DC in the root domain of the compaq. com forest. This DC refers the user to a DC in the root domain of the hp.com forest.
3. The user's machine contacts a DC in the root domain of the hp.com forest. The DC of the hp.com forest double-checks with the local GC whether the service is in his or her forest. After validation it refers the user to a DC in the us.hp.com domain.
4. The user's machine contacts a DC in the us.hp.com domain. This DC can issue a service ticket to the user for the resource in the us.hp.com domain.
5. The user uses the service ticket to authenticate to the resource server in the us.hp.com domain.
Click for the next excerpt in this series: Advanced Kerberos topics: Delegation of authentication