Active Directory Cross-Forest Kerberos Authentication

Let’s say you are a sysadmin, a pentester, or someone on the defensive side working on enterprise administration or security. You might have heard about Active Directory — the most commonly used identity management service in the world. Today we are talking about a more complex subject: trust and Kerberos authentication across forests in Active Directory.

What is Kerberos in Active Directory?

Kerberos is the default authentication protocol used within Active Directory domains in Windows networks.

Kerberos Authentication Process

1. The user authenticates with the Domain Controller (DC) using their password.
2. They receive a Ticket Granting Ticket (TGT) — encrypted using the krbtgt account’s password hash (held by the DC).
3. The user wants to access a network service (SQL, SharePoint, file server, etc.).
4. They send the TGT to the DC and request a TGS (Ticket Granting Service) ticket for the SPN (Service Principal Name) of that service.
5. The DC validates the TGT and builds a TGS ticket encrypted with the target service’s account password hash.
6. The user sends the TGS to the application server.
7. The server decrypts it using its own credentials and validates the session.

---

Understanding Forests in Active Directory

A forest is a collection of one or more domain trees — and more importantly, a security boundary. An Active Directory environment of Organization A and Organization B cannot directly access each other by default since they are separate forests.

In modern organizations, there are scenarios where AD environments of different organizations need to communicate — during mergers, acquisitions, vendor partnerships, etc. This is fulfilled using the Trust feature.

---

Understanding Trust

• A trust is a relationship between two domains or forests allowing users of one to access resources in the other.
• Trust can be automatic (parent-child, same forest) or established (forest, external).
• Trusted Domain Objects (TDOs) represent trust relationships in a domain.

Trust Direction

One-way (Unidirectional): Users in the trusted domain can access resources in the trusting domain, but not vice versa.

Two-way (Bidirectional): Users of both domains can access resources in the other.

Trust Transitivity

• Transitive: Can be extended to establish trust relationships with other domains. All default intra-forest trusts (Tree-root, Parent-Child) are transitive two-way trusts.
• Nontransitive: Cannot be extended to other domains. This is the default behavior (external trust) between two domains in different forests when no forest trust exists.

Trust Types

Automatic Trusts:

• Parent-Child trust: Created automatically when a new domain is added to a tree. Always two-way transitive.
• Tree-root trust: Created automatically when a new domain tree is added to a forest root. Always two-way transitive.

External Trusts: Between two domains in different forests (no forest trust). Can be one-way or two-way, always nontransitive.

Forest Trusts: Between forest root domains. Cannot be extended to a third forest (no implicit trust). Can be one-way or two-way transitive.

---

Cross-Forest Kerberos Authentication Flow

To allow cross-forest Kerberos authentication between two separate organizations, you must explicitly create a Forest Trust.

Forest 1 (User’s Home Forest)

1. Client sends timestamp to KDC (AS-REQ).
2. KDC replies with TGT encrypted using krbtgt secret (AS-REP).
3. Client sends TGT to request access to a service in Forest 2 (TGS-REQ).
4. KDC sees the service is in Forest 2 and returns an inter-realm TGT.

Inter-Realm Trust

• The inter-realm TGT is encrypted with the trust key shared between Forest 1 and Forest 2.
• This TGT allows the client to talk to Forest 2’s KDC.

Forest 2 (Resource Forest)

1. Client sends inter-realm TGT to Forest 2 KDC.
2. Forest 2 KDC validates the ticket using the trust key.
3. Forest 2 KDC issues a service ticket for the application server.

Accessing the Resource

1. Client presents the service ticket to the application server.
2. Optional: mutual authentication between server and client.

---

Key Concepts

Concept	Description
Inter-realm TGT	Acts like a passport for crossing into another Kerberos realm (forest)
Trust Key	A shared secret between forests that allows each to verify the other’s TGTs
Explicit Trust	Must be manually configured between forests/domains to allow cross-realm Kerberos authentication

---

Conclusion

As a pentester wanting to get deeper into post-exploitation in large Active Directory and cross-forest networks, understanding these concepts is very useful. Further attacks related to cross-forest environments (SID History injection, inter-realm Golden Tickets, etc.) will be discussed in future posts.

References

• It’s All About Trust – Forging Kerberos Trust Tickets – adsecurity.org
• Certified Red Team Professional (CRTP) – Altered Security
• How trusts work for Microsoft Entra Domain Services – Microsoft Learn