cross realm and capaths question

Christopher D. Clausen cclausen at
Mon Oct 1 11:40:17 EDT 2007

Douglas E. Engert <deengert at> wrote:
> Markus Moeller wrote:
> This looks like AD is checking the transited path, and does not like
> it. RFC4120 section 2.7 does not require the KDC to check the
> transited field, and the client may even ash the KDC to not check it,
> with the DISABLE-TRANSITED-CHECK flag, but the KDC may still check.
> AD does a lot more with trust the the MIT KDCs and may treat forests
> and external realms differently. In your diagram, you are trying to
> context TEST.COM not at the forest root. In most of the Microsoft
> documents they talk about connecting forests at the root.
> They talk about the different types of trust. I don't see
> "External Transitive" which is what I think you are trying to do.
> Although Realm Trust looks very close, but TGEST.COM is AD, not
> Kerberos.
> Can you connect TEST.COM to TOP.COM? This woulf be forest trust.
> Or can rename you TEST.COM to TEST.DOM1.TOP.COM and have it join the
> forest? Then AD should not have any problems,and you would not need
> the capaths, as the default ist to go up the tree then back down.

The AD domain to non-AD domain trust likely needs to be changed to a 
"transitive" trust using the netdom.exe tool.

for example:
netdom trust <AD domain> /ForestTRANsitive /domain <non-AD domain>


More information about the Kerberos mailing list