Computer Configuration\Administrative Templates\System\KDC\Use Forest Search Order
In this situation, InitializeSecurityContext may return "SEC_E_TARGET_UNKNOWN." Additionally, the following event may be logged:
If Kerberos authentication is required, then a forest trust is necessary. On an external trust, you have to change the application to use FQDN server names and three-part SPNs. For more information, see Technologies for Federating Multiple Forests.
When FQDN names are used, the forest trust object can offer SPN routing according to the UPN/SPN suffix provided in the request so that the Key Distribution Center (KDC) knows the next hop in the Kerberos referral procedure.
This behavior is expected, because KFSO is not designed to offer Kerberos authentication support over external trusts. To use a Kerberos trust between forests, create a forest trust instead.
Article ID: 2977475 - Last Review: 4 Jul 2014 - Revision: 1