Use forest search order

This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).

If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.

If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.

Supported on: At least Windows 7

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters
Value NameUseForestSearch
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Forests to Search

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters
Value NameForestSearchList
Value TypeREG_SZ
Default Value

Syntax:

Enter the list of forests to be searched when this policy is enabled.

Use the Fully Qualified Domain Name (FQDN) naming format.

Separate multiple search entries with a semi-colon ";".

Details:

The current forest need not be listed because Forest Search Order uses the global catalog first then searches in the order listed.

You do not need to separately list all the domains in the forest.

If a trusting forest is listed, all the domains in that forest will be searched.

For best performance, list the forests in probability of success order.


kdc.admx

Administrative Templates (Computers)

Administrative Templates (Users)