Use forest search order

This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).

If you enable this policy setting, the Kerberos client will search the forests in this list if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client will request a referral ticket to the appropriate domain.

If you disable or do not configure this policy setting, the Kerberos client will not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

Supported on: At least Windows 7

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
Value NameUseForestSearch
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Forests to Search

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
Value NameForestSearchList
Value TypeREG_SZ
Default Value

Syntax:

Enter the list of forests to be searched when this policy is enabled.

Use the Fully Qualified Domain Name (FQDN) naming format.

Separate multiple search entries with a semi-colon ";".

Details:

The current forest need not be listed because Forest Search Order uses the global catalog first then searches in the order listed.

You do not need to separately list all the domains in the forest.

If a trusting forest is listed, all the domains in that forest will be searched.

For best performance, list the forests in probability of success order.


kerberos.admx

Administrative Templates (Computers)

Administrative Templates (Users)