Hello, is it possible to use Kerberos to handle security across two domains in different forests with external two way non-transitive trust?all the servers reside in one single domain and users come from other domain.

no. When you use external trust, only NTLM authentication is available.http://www.sysadmins.lv

thats ok -- but Why cant we have kerberos when authenticating on external trust?another question: i have webserver, application server and database server in one domain. the application on application server is hosted on IIS. its worker process is running under local domain user account and is given rights for protocol transition. thats because NTLM works for external trust as you just said. when i user network services to run this IIS on applicaton server it doesnt delegates external domain suer account to database serveri dont know the reason why?can you please point me any authenticaed article that can explain the reason. thanksyawar

because only Kerberos allows credential delegation. You need to grant your webserver "Trusted for delegation" right. This will allow credential delegation to your DB server. However this will work with Kerberos only.http://technet.microsoft.com/en-us/library/cc739587(WS.10).aspxhere is several links that describe how it works.http://www.sysadmins.lv

i understand that and i have implemented cross forest deleagtion in my dev enviroment. my question here is that why only NTLM works on external trust?and why network service account cant delegates external trusted domain user credentials?

IIRC, external trust primary was developed to create trusts with NT4 domains. For Active Directory you may use Forest trust that will allow use both Kerberos and NTLM authentication. However Forest trust is worked if both forest have Windows Server 2003 native (or higher) forest level. Windows 2000 is not able to find KDC in foreign forest therefore Kerberos cannot be used and you will have to create External trust that is compatible with many forest levels that cannot use Kerberos.http://www.sysadmins.lv

I think i can understand what you are trying to say here .... in my dev enviroment the domain controllers in different forests are installed on Windows 2003 R2 enterprise edition and these KDCs are set on Windows 2003 domain functional level and windows 2003 forest functional level. According to your statement "Windows 2000 is not able to find KDC in foreign forest therefore Kerberos cannot be used" but windows2003 does find the KDC in foreign external trusted domain. Hence it should use kerberos not NTLM by default. I might need to do more reading to get profound knowledge - any article you think can be helpfullregardsyawar

no. If both your forests have Windows Server 2003 native forest level you should create Forest trust instead of External.http://www.sysadmins.lv

I am sorry i think i havent conveyed you my question here: My question is Why NTLM takes the charge of authenticating two Domains at External 2way trust? I know that kerberos cant be used here but the question is why?

Because external trusts are non-transitive, they are designed to use only NTLM for authentication, and simply don't support Kerberos. It really isn't any more complicated than that.Paul Adare CTO IdentIT Inc. ILM MVP

Paul, I just want to explore the underlying reason why Kerberos cant be used. From your reply I put you same question but let me re-phrase it. "Why Kerberos cant be used with non-transitive trust and NTLM can work with non-transitive trust?"If you know the underlying technical reason or if you know some msdn article where i can find the good reason I would realy appriciate your help and will mark ur reply "mark As Answer"

There really is no other answer to give. External trusts were designed to only use NTLM as the authentication method.Paul Adare CTO IdentIT Inc. ILM MVP

this suggests to me to assume that Microsoft doesn't want to tell we programmers and technical guys the actual reason. I wasn't expecting this response. thanks for your time. I am sorry i cant mark as answer because i am not satisfied.

First of all, I don't work for Microsoft, no MVP does. Secondly, I don't really care if you mark any of my posts as an answer or not, I don't spend my personal time here answering questions to build up points. Finally, you're going to find that sometimes there are no answers to questions that you might ask, this is one of those times, and you'll need to deal with it. External trusts simply don't support Kerberos, period. They never have and they never will.Paul Adare CTO IdentIT Inc. ILM MVP

I regret to inform you that your last attempt to make me mark your reply as Answer has been unsuccessful at this stage. I wish you good luck in future.

With an attitude like yours, good luck getting answers to any of your questions.Paul Adare CTO IdentIT Inc. ILM MVP

lol, take it easy buddy we have limited time on this planet - enjoy yours - please accept my apologies and wishes for your next birthday! if i know the right answer i will post here and we both know then. thanks bye

lol, take it easy buddy we have limited time on this planet - enjoy yours - please accept my apologies and wishes for your next birthday! if i know the right answer i will post here and we both know then. thanks bye Hello Mate - please read about the krbtgt account - I think you will get your answer. It is simply because to trust a ticket given to someone by a DC in one forest is supposed to be trusted by another DC in a different forest - both the DCs must share the password of the krbtgt account which in case of different forest/domain is obviously different.