Introducing Forest Search Order

Applies To: Windows Server 2008 R2

This topic introduces the Group Policy setting for Forest Search Order in Windows Server® 2008 R2.

Forest Search Order gives you the ability to use Kerberos authentication across forest trusts using short names. Policy settings can be configured for KDC-based or Kerberos client-based searches.

How Forest Search works

When the policy setting is configured, either on the Kerberos client or the Key Distribution Center (KDC), and Kerberos attempts to resolve a two-part service principal name (SPN), Kerberos accesses Forest Search Order to search for the appropriate domain. Two-part SPNs can resolve in the local domain or if found in the Global Catalog (GC) but if not found then Forest Search Order must be configured. Forest Search Order is not required when Kerberos receives a three-part SPN because the domain name is included: service/server network name/realm name.

When Forest Search Order is configured and a two-part SPN cannot be resolved, the GC in each forest listed in the policy setting is queried for the three-part SPN.

Forest Search Order caches the GC session information from a recently contacted forest and also tracks failures in contacting forests which reduces future retries. However, the results of the SPNs queried are not cached, so the same SPN will be queried each time it is received. Because of this, it is better to deploy the client side Forest Search Order policy. Deploying the KDC Forest Search Order policy will result in additional load on the DCs to find the domains for these short name based SPNs.

After the search is successful, then the Kerberos client will build a request for a service ticket with a domain hint, or the KDC will build a referral ticket to the trusting domain. With these in place, normal Kerberos authentication can proceed as if a three-part SPN was given by the requesting client.

How Forest Search Order is managed

There are two local security policy settings which you can configure to use Forest Search Order: KDC-based or Kerberos client-based.

Use Forest Search Order (KDC)

Location: GPO_name\Computer Configuration/Administrative Templates/System/KDC

This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs) using short names.

If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using global catalogs. If a match is found and the domain is trusting, the KDC will return a referral ticket to the client for the domain.

If you disable or do not configure this policy setting, when the KDC is unable to resolve the SPN because the name is not found, Kerberos cannot be used and NTLM authentication might be used.

Use Forest Search Order (Kerberos)

Location: Local Computer Policy/Computer Configuration/Administrative Templates/System/Kerberos

This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).

If you enable this policy setting, the Kerberos client will search the forests in this list if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client will request a service ticket for the service in the appropriate domain.

If you disable or do not configure this policy setting, when the Kerberos client is unable to resolve the SPN because the name is not found, Kerberos cannot be used and NTLM authentication might be used.