What is a Kerberos trust?

A. Windows NT 4.0 trust relationships aren’t transitive. Therefore, if domain2 (e.g., Marketing, in the Figure) trusts domain1 (Sales), and domain3 (Development) trusts domain2 (Marketing), domain3 (Development) doesn’t trust domain1 (Sales).

Click here to view image

In Windows 2000, the trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest. Because trusts occur automatically when a domain joins a tree, time-consuming trust administration is unnecessary.

Kerberos is Win2K’s primary security protocol. Kerberos verifies a user’s identity and a session’s data integrity. Each domain controller (DC) has Kerberos services on it, and every Win2K workstation and server has a Kerberos client. A user's initial Kerberos authentication gives the user one logon session to enterprise resources. Kerberos isn’t a Microsoft protocol but is based on MIT’s Kerberos 5.0. For more information about Kerberos, see the Internet Engineering Task Force (IETF) Requests For Comments (RFC) 1510, The Kerberos Version 5 GSS-API Mechanism.