Microsoft KB Archive/831634

= You are prompted for credentials when you try to connect to a server that is in a different domain in a separate forest =

Article ID: 831634

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server

-





SYMPTOMS
When you try to connect to a server that is in a different domain in a separate forest, you may be prompted for credentials when a transitive trust already exists between the two forests.



CAUSE
This problem may occur if the following conditions are true:
 * There exists a transitive cross-forest trust between the separate forests.
 * There exists an external trust between the domains in the separate forests.

In the following example, a transitive trust exists between ForestA and ForestB. There also exists an external trust between ChildDomainA in ForestA and DomainB in ForestB.

The problem occurs when the user account in ChildDomainA uses a cached Ticket Granting Ticket (TGT) that applies to the external trust between ChildDomainA and DomainB in the separate forest. But to successfully authenticate, the account in ChildDomainA must use the TGT from the Kerberos Key Distribution Center (KDC) that applies to the transitive trust between ForestA and ForestB.



WORKAROUND
To work around this problem, remove the external trust between the child domain and the domain in the separate forest.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section of this article.



MORE INFORMATION
An external trust is a non-transitive trust that is used to provide access to resources that are located either on a Microsoft Windows NT 4.0 domain or on a Microsoft Active Directory directory service domain that is located in a separate forest that is not always joined by a forest trust. A non-transitive trust is a trust relationship that is restricted to two domains, and can be either a one-way or a two-way trust.

