Hi,
Based on my understanding :If clients want to access resource in other domain as you mentioned ,the service tickets should be issued by the KDC in the target domain .(which the resource located).
Reference: https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)
When a client requests a service ticket for a server in a remote Kerberos realm, the request is sent to the KDC in the client account's realm. The KDC determines that the server is in another realm, so it cannot issue a service ticket. This can only be done by a KDC in the target server's realm. So, instead of issuing the service ticket, the KDC in the client account's realm issues a TGS referral.
For your question:
So it means it can contain only Domain A Global groups, Domain A Universal groups and Domain B Universal groups. So forest global groups mean all universal groups of all domains in a forest (intra-forest logon). Correct?
I'm afraid i didn't understand you clearly, please tell more details. For example ,how did you assign the permission to users on the resource and the group membership for the user.
Do you mean the SIDs in the access token when user to access resource in other domain.
Generally speaking ,
Since the domain local group's scope is limited to the domain in which they reside they are only added to a user’s token when a user authenticates to a resource within the same domain as the domain local group.
No matter where a user authenticates, all of the user’s global groups will be included in the user’s access token.
Universal groups also add a SID to a user’s access token no matter what domain the group or user reside.
If you still have questions, feel free to let us know.
Following link for your reference:
Active Directory Security Groups:https://video2.skills-academy.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
https://www.giac.org/paper/gsec/5111/kerberos-access-token-limitations/104962(Third-party link)
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,