Forest Trust / Kerberos forest search order group policy setting

  • Last Post 13 July 2017
ahobbs posted this 13 July 2017

Hey all

We've implemented a Forest Trust and we need to configure single sign on for an new application.

I need to enable the Kerberos Forest Search Order.

Should this be enabled on the default domain policy for all computers or should it be enabled on the default domain controllers policy?

I assume the latter.

Any guidance appreciated.


Forum info:
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
ZJORZ posted this 13 July 2017

The description of that policy says: "This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs)." Therefore è default domain controllers policy  Met vriendelijke groeten / Kind regards, Jorge de Almeida PintoMVP Enterprise Mobility And Security | MCP/MCSE/MCITPMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 


bpffa posted this 13 July 2017

There are two forest search orders within Group Policy. One under Admin Templates KDC and another under Kerberos and the wording is slightly different. Should KDCs have their set as well as clients? Or just the

KDC since the ticket request will need to pass through them anyways?