WSTEP enrollment can use Kerberos authentication to authenticate Windows endpoints. Kerberos authentication uses service principal names to associate a service instance with a service sign-in account. A service principal name is a unique identifier of a service instance. With Kerberos authentication, a service principal name allows a client application to request service authentication for an account, even if the client does not have the account name.

A service principal name (SPN) is a string that consists of either two or three parts, with each part separated by a forward slash. An example of a two-part SPN:

HTTP/server.example.com@EXAMPLE.COM

For cross-forest deployments, both the Key Distribution Center (KDC) and the Kerberos client must search a list of trusted forests when attempting to resolve a two-part SPN if the SPN cannot be found in the local forest. The list of trusted forests that the KDC and Kerberos clients can search is controlled by Group Policy settings in the domain controller. Cross-forest WSTEP enrollment can fail if the KDC or Kerberos client cannot resolve the two-part SPN. The list of trusted forests must be the same for both the KDC and Kerberos clients.

To ensure consistent behavior, the Global Policy settings must be supported and set identically on all domain controllers in the domain.

To configure the Group Policy for cross-forest deployments

  1. Log in to the server hosting Active Directory as a member of the Domain Admins and Enterprise Admins groups.
  2. Select Start > Windows Administrative Tools > Group Policy Management.
    The Group Policy Management dialog box appears.
  3. In the tree view, select Group Policy Management > Forest: <forest> > Domains > <domain> > Default Domain Policy.
    Where <forest> is the FQDN (fully qualified domain name) of the forest, and <domain> is the FQDN of the domain.
  4. Select Action > Edit to edit the default domain policy for the domain.
    The Group Policy Management Editor dialog box appears.
  5. Expand Computer Configuration > Policies > Administrative Templates > System > KDC.
  6. In the Settings pane, select Use Forest Search Order.
  7. Select Action > Edit to edit the Use Forest Search Order setting.
    The Use forest search order dialog box appears.
  8. Select Enabled.

  9. In the Options pane, in the Forests to Search field, enter the list of trusted forests that the Key Distribution Center (KDC) will search when attempting to resolve a two-part SPN that does not exist in the local forest. Separate each forest with a semicolon. For example:

    example.com;example.net;example.org
  10. Click OK.
  11. Expand Computer Configuration > Policies > Administrative Templates > System > Kerberos.
  12. In the Settings pane, select Use Forest Search Order.
  13. Select Action > Edit to edit the Use Forest Search Order setting.
    The Use forest search order dialog box appears.
  14. Select Enabled.

  15. In the Options pane, in the Forests to Search field, enter the list of trusted forests that Kerberos clients will search when attempting to resolve a two-part SPN that does not exist in the local forest. Separate each forest with a semicolon. For example:

    example.com;example.net;example.org
  16. Click OK.