Microsoft KB Archive/274438

= Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000 =

PSS ID Number: 274438

Article Last Modified on 10/21/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Advanced Server SP1

-



This article was previously published under Q274438



SUMMARY
This article describes why you cannot use internal Kerberos trust relationships between two forests in Windows 2000.



MORE INFORMATION
Windows 2000 uses domain trusts, which are relationships that are established between domains that enable users in one domain to be authenticated by a domain controller in the other domain. There are four types of domain trusts:
 * Two-way: A link between domains in which each domain trusts user accounts in the other domain to use its resources.
 * One-way: A single trust relationship where  trusts  . All one-way relationships are nontransitive.
 * Transitive: The trust relationship that is extended to one domain is automatically extended to all other domains that trust that domain.
 * Nontransitive: This trust relationship is bounded by the two domains in the trust relationship and does not flow to any other domains in the forest. You must explicitly create nontransitive trusts. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts.

Each trust relationship must use an authentication protocol to validate the trust as well as users. Windows 2000 supports two authentication protocols:
 * Kerberos: An authentication protocol that is used to verify user or host identity. The Kerberos V5 authentication protocol is the default authentication service for Windows 2000.
 * NTLM: A challenge/response authentication protocol. The NTLM authentication protocol is the default for network authentication in Microsoft Windows NT version 4.0 and earlier. The protocol continues to be supported in Windows 2000, but this protocol is no longer the default.

Windows 2000 does not support Kerberos trust relationships between two forests. Kerberos trust relationships are used and created by default between parent and child domains in the same forest, or between tree root domains that are in the same forest.

Windows 2000 only performs cross-realm authentication with non-Windows Kerberos realms such as MIT Kerberos realm. For more information, refer to the &quot;Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability&quot; white paper that is located at the following Microsoft Web site:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

Use an external trust relationship when a trust between two forests is required. This trust relationship uses NLTM authentication.

Keywords: kbenv kbinfo KB274438

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP1 kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP1 kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.