desktop security software  
security desktop order software software library technical support

security desktop


Desktop Security

Internet Security

PC Time Limit

Protect Files

Security FAQ

Windows Tips

Internet FAQ


limit, kids, pc, time, security, desktop, child, online, limits, password, control, user, restrict, access, protect, privacy, internet, children




Version for print

Why can't I create a Kerberos-based trust between two domains in different forests?

When you manually create trusts, you can select one of two authentication protocols.

  • Kerberos—The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest.
  • NT LAN Manager (NTLM)—The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol.


A transitive Kerberos-based trust links domains WITHIN a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn't available for cross-forest trust relationships. This limitation isn't a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for cross-forest trusts.

Security FAQ

Windows Privacy Tools - http//


l Security Officer l Internet Explorer Security l Protect Files l User Time Control l Security Desktop l Site Map

Copyrights 2006 Eugene Mihailov. All rights reserved