When a workstation in one forest attempts to access data on the resource computer in another forest, Kerberos contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller
queries the global catalog and identifies that the SPN is not in the same forest as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries
the parent domain for the service ticket and follows the referral chain until it gets to the domain where the resource is located.
The following figure and corresponding steps provide a detailed description of the Kerberos authentication process.
- User1 logs on to Workstation1 using credentials from its local domain. The user then attempts to access a shared resource on FileServer1 located in the child domain in the outside forest.
- Workstation1 contacts the Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer1 SPN.
- ChildDC1 does not find the SPN in its domain database and queries the global catalog (GC) to see if any domains in its forest contain this SPN. Since a global catalog (GC) is limited to its own forest, the SPN is not found. The global catalog then checks its database for information about any forest trusts that are established with its forest, and, if found, it compares the name suffixes listed in the forest trust trusted domain object (TDO) to the suffix of the target SPN to find a match. Once a match is found, the global catalog provides a routing hint back to ChildDC1.
- ChildDC1 sends a referral for its parent domain back to Workstation1.
- Workstation1 contacts a domain controller (RootDC1) in its parent domain for a referral to a domain controller (RootDC2) in the forest root domain of the outside forest.
- Workstation1 contacts RootDC2 in the outside forest for a service ticket to the requested service.
- RootDC2 contacts its GC to find the SPN, and the GC finds a match for the SPN and sends it back to RootDC2.
- RootDC2 then sends the referral to child domain where the user is in back to Workstation1.
- Workstation1 contacts the KDC on ChildDC2 and negotiates the ticket for User1 to gain access to FileServer1.
- Now that workstation1 has a service ticket, it sends the server service ticket to FileServer1, which reads User1's security credentials and constructs an access token accordingly.
Recommended Books & Training Resources