Hi @70317574
Should users upn equal to primary mail in exchange for successfully kerberos auth?
No, If the client uses Kerberos V5 for authentication, it requests a ticket to the server in the target domain from a domain controller in its account domain. The Kerberos Key Distribution Center (KDC) acts as a trusted intermediary between the client and server; it provides a session key that enables the two parties to authenticate each other. If the target domain is different from the current domain, the KDC follows a logical process to determine whether an authentication request can be referred:
Is the current domain trusted directly by the domain of the server that is being requested?
If yes, send the client a referral to the requested domain.
If no, go to the next step.
Does a transitive trust relationship exist between the current domain and the next domain on the trust path?
If yes, send the client a referral to the next domain on the trust path.
If no, send the client a logon-denied message.
For more information about how kerberos auth works:
What is the difference between Negotiate and NTLM authentication?
And Configure Kerberos authentication with Exchange 2019.
Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of the information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.