How Transitive Trusts Work

The reason transitive trusts work is very simple: Kerberos. Referring to Figure 18.2, domains B and C both trust domain A. Each domain has at least one DC, which means it has at least one Kerberos KDC. When a child domain is added to the tree, the TGSs in the parent and child become security principals in each other's domain and create and share a session key. When a user needs access to a service in another domain, the KDCs can collaborate and build an authentication referral path from the client to the server.

Cross-Domain Authentication Example

Figure 18.7 shows the fis.local domain with two child domains: sales.fis.local and mfg.fis.local. In this example, client.sales.fis.local wants to connect to server.mfg.fis.local. ...

Get Special Edition Using Microsoft Active Directory now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.