How well does cross domain authentication work across a Trust? If you have a Forest trust, pretty good. Just make sure you have your UPN routing setup on the trust configuration. And across a domain trust? Not so well, and not at all “out of the box”. Because we work in the migration space and because authenticating via “e-mail” address is all the rage, this recently became an issue for me.
First, a quick primer on UPN’s, from Tim Allen. He knows his UPN’s, just ask him. In short, you always have two UPN’s. You have your “implicit” UPN and you have your “explicit” UPN. The Implicit UPN is your sAMAccountName followed by your domain suffix (firstname.lastname@example.org). Your Explicit UPN is what is in userPrincipalName in AD. Often they are the same, they don’t have to be. In this case, it is different, as we are using our e-mail address (email@example.com).
As for how to make this work, I must give a huge shout out to Jorge of JorgeQuestForKnowledge.wordpress.com. His six part writeup on this was really the only useful page I could find on this topic. If you just want the fix, skip to part six. There is a lot of work that went into these and the result is awesomeness for all the rest of us. Thanks Jorge, great work!
It comes down to this – there are to GPO settings you can do to have Kerberos check other forests for UPN authentication. They are right next to each other!
Policies->Administrative Templates->System->KDC->Use forest search order
Policies->Administrative Templates->System->Kerberos->Use forest search order
The difference is the first one applies to your Domain Controllers, the second applies to everything else. Choose your path. Jorge picked Domain Controllers, and so did I in my lab.
I did NOT have success in my lab with alternate UPN’s. In my lab.com domain, having a UPN of firstname.lastname@example.org worked, but having a UPN email@example.com did not. That may have been my lab, so your mileage may vary if you have alternate UPN creds you want to use.