Why can't I create a Kerberos-based trust between two domains in different forests?

When you manually create trusts, you can select one of two authentication protocols.

Kerberos�The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest.
NT LAN Manager (NTLM)�The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol.

A transitive Kerberos-based trust links domains WITHIN a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn't available for cross-forest trust relationships. This limitation isn't a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for cross-forest trusts.

1st Security Agent	Mail Bomber	Security Administrator	PC Lockup	Access Lock	Access Administrator Pro	ABC Security Protector

http//www.softheap.com