Implementing a new system in segregated network with it's own single domain Forest B.
Windows 7 clients and Windows 2008 R2 DCs and application servers.
Loopback replace is defined so that all GP have to be defined in Forest B.
One way cross forest trust: Forest B with computer resources trust in Forest A with user accounts.
Forest A is a multidomain environment (30 DCs in the root, 80 DCs in subdomain A1 and 40 DCs in subdomain A2).
We have managed to activate the one way trust between all 2 DC in Forest B with 30 root DCs in Forest A, all top DC have full ip connectivity on all ports for the transative design.
During FAT of the new system have we been using local user accounts in Forest B, working fine.
The symptoms is that when using an user account in subdomain A1 or A2 in Forest A to logon to the Windows 7 client is that we see error messages in the Pre-Authentication phase.
My focus now is on encryption protocol for Kerberos; in Forest A do we use RC4-HMAC (empty checkboxes for DES and AES 128/256 of the user accounts).
Windows 7 is by default using AES and my expectations were that the negotiation would have been like this:
initial pre-authentication with AES would be rejected by DCs in Forest A
second pre-authentication with RC4-HMAC
The pre-authentication is finished without a successful ending.
I have spent several days searching but without finding the right perfect workaround (have found many threads about DES but our corporate system uses RC4).
Anyone recognizing the symptoms or have recommendation to share.
/Stefan