following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of the book "Windows
Server 2003 security infrastructures" written by Jan De Clercq. Click for the complete book
excerpt series or purchase
Logging on to Windows using Kerberos:
Multiple forest logon process
In Windows Server 2003, Microsoft has added additional information in the TDO account objects to enable interforest authentication traffic. Let's look at an example that shows how Windows Server 2003 uses the extra information stored in the TDO to route Kerberos authentication requests during a cross-forest resource access.
In the example (illustrated in Figure 5.19), a user that is logged on to the emea.compaq.com
domain (the user and machine accounts are defined in emea.compaq.com) wants to access a resource
located on a server in the us.hp.com domain. Both forests are at functionality level 2, and a
bidirectional forest trust relationship has been set up between them. From a Kerberos point of
view, the user is already logged on to the emea.compaq.com domain and has a valid TGT. The remote
resource is identified using an SPN of the following format:
In this example the authentication requests will be routed as follows:
Figure 5.19 Forest trust authentication flow.
3. The user's machine contacts a DC in the root domain of the hp.com forest. The DC of the hp.com forest double-checks with the local GC whether the service is in his or her forest. After validation it refers the user to a DC in the us.hp.com domain.
4. The user's machine contacts a DC in the us.hp.com domain. This DC can issue a service ticket to the user for the resource in the us.hp.com domain.
5. The user uses the service ticket to authenticate to the resource server in the us.hp.com domain.
Click for the next excerpt in this series: Advanced Kerberos topics: Delegation of authentication
This was first published in October 2004