You are prompted for credentials when you try to connect to a server that is in a different domain in a separate forest (831634)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server

SYMPTOMS

When you try to connect to a server that is in a different domain in a separate forest, you may be prompted for credentials when a transitive trust already exists between the two forests.

CAUSE

This problem may occur if the following conditions are true:
  • There exists a transitive cross-forest trust between the separate forests.
  • There exists an external trust between the domains in the separate forests.
In the following example, a transitive trust exists between ForestA and ForestB. There also exists an external trust between ChildDomainA in ForestA and DomainB in ForestB.
Active Directory ForestTrust TypeActive Directory Forest
ForestATransitive TrustForestB
DomainADomainB
ChildDomainAChildDomianB
The problem occurs when the user account in ChildDomainA uses a cached Ticket Granting Ticket (TGT) that applies to the external trust between ChildDomainA and DomainB in the separate forest. But to successfully authenticate, the account in ChildDomainA must use the TGT from the Kerberos Key Distribution Center (KDC) that applies to the transitive trust between ForestA and ForestB.

WORKAROUND

To work around this problem, remove the external trust between the child domain and the domain in the separate forest.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article.

MORE INFORMATION

An external trust is a non-transitive trust that is used to provide access to resources that are located either on a Microsoft Windows NT 4.0 domain or on a Microsoft Active Directory directory service domain that is located in a separate forest that is not always joined by a forest trust. A non-transitive trust is a trust relationship that is restricted to two domains, and can be either a one-way or a two-way trust.

REFERENCES

For more information about Trusts in Windows 2000, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;win2000

Modification Type:MajorLast Reviewed:2/21/2004
Keywords:kbwinservnetwork kbSecurityServices kbBug kbpending KB831634 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.