Why can't I create a Kerberos-based trust between two domains in different forests?
When you manually create trusts, you can select one of two authentication
- Kerberos—The Kerberos V5 authentication protocol is the default
authentication service for Windows 2000. You use it to verify that a
user/host is who it says it is. This protocol is used for trusts between
domains in a tree and between the root domains in a forest.
- NT LAN Manager (NTLM)—The NTLM authentication protocol is the default
for network authentication in Windows NT 4.0 and earlier, but Win2K still
supports it (although not as the default). NTLM is a challenge/response
A transitive Kerberos-based trust links domains WITHIN a forest. Thus, when
you create a trust between two domains in different forests, you can select only
NTLM because Kerberos isn't available for cross-forest trust relationships. This
limitation isn't a Kerberos one, but a limitation of the Microsoft
implementation. If you use a third-party Kerberos implementation (e.g., MIT),
you can use Kerberos for cross-forest trusts.