Use forest search order

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.

• Computer
  Allow name-based strong mappings for certificates

  At least Windows Server 2019, Windows 10 Version 2004
• Computer
  Configure hash algorithms for certificate logon

  At least Windows 11 Version 22H2
• Computer
  KDC support for claims, compound authentication and Kerberos armoring

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  KDC support for PKInit Freshness Extension

  At least Windows Server 2016, Windows 10
• Computer
  Provide information about previous logons to client computers

  At least Windows Vista
• Computer
  Request compound authentication

  At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
• Computer
  Warning for large Kerberos tickets

  At least Windows Server 2012, Windows 8 or Windows RT