Forum Discussion
writemike
Oct 05, 2016Nimbostratus
After doing a bit more research (ie, I asked an AD guy!), it appears that if a two-way trust exists between domains/forests, then when a client joined to domain1 asks the domain1 KDC for a TGS for a service in domain2, the domain1 KDC will refer you to the domain2 KDC to complete your request. In the end the klist command, on the client machine should have 2 TGT (domain1 and domain2) and a TGS for the service you are trying to access. This can all be done with a single SPN in the Keytab file as long as there is two-way trust between the domains/realms.
That is my non-windows guy understanding. Please let me know where I'm incorrect because I would really like to understand this better.
Thanks