Establishing Interforest Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If your organization includes more than one forest, you need to enable the forests to allow authentication and resource sharing. You can do this by establishing trust relationships between some or all of the domains in the forests. The types of trust relationships that you establish will depend on the versions of the operating system that are running in each forest.

For more information about establishing trust relationships, see "Understanding Trusts" in Help and Support Center for Windows Server 2003.

Authentication between Windows Server 2003 forests

When all domains in two forests trust each other and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish one-way or two-way external trusts between the domains that require interforest authentication.

Authentication between Windows Server 2003 and Windows 2000 forests

It is not possible to establish transitive forest trusts between Windows Server 2003 and Windows 2000 forests. To enable authentication with Windows 2000 forests, establish one-way or two-way external trusts between the domains that need to share resources.

Authentication between Windows Server 2003 and Windows NT 4.0 forests

It is not possible to establish transitive forest trusts between Windows Server 2003 and Windows NT 4.0 domains. Establish one-way or two-way external trusts between the domains that need to share resources.

In each of these cases you should consider whether the selective authentication option needs to be enabled. Selective authentication should only be enabled when the trusted domain is located in the extranet or in a different corporation, and therefore only requires access to a very limited set of resources.

The Kerberos V5 authentication protocol does not work across forests in Windows 2000 or Windows NT environments. In these situations, Windows Server 2003 relies on the NTLM protocol for authentication across forests. A direct trust relationship between two domains in separate forests enables NTLM authentication; however, NTLM enables client authentication only, and not mutual authentication. Therefore, if you must authenticate across forest boundaries, you need to ensure that all computers running versions of Windows earlier than Windows 2000 have been upgraded to use NTLMv2.