In this case there was a two way forest trust between two forests. Forest 1 was containing single domain1, Forest 2 was containing several domain trees. Also, there was a external trust between Domain 1 and domain B.
Users from both forest we're able to login successfully on workstations that were also members in both forests. But, when users from domain B were trying to access resources (file share \\server1.domain1.local\fileshare) in Domain1, there was a credential prompt requesting for valid username and password. On domain controllers in Domain1 Audit failure was logged with following details:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name: user@domainB.local
Account Domain: domainB.local
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name: cifs/server1.domain1.local
Service ID: NULL SID
Network Information:
Client Address: ::ffff:a.b.c.d
Client Port: 49783
Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0xffffffff
Failure Code: 0xc
Transited Services: -
From https://technet.microsoft.com/en-us/library/bb463166.aspx Failure code 0xC is KDC_ERR_POLICY.
I have successfully resolved this issue by enabling name suffix Domainb using Trust properties, Name Suffix Routing tab in Forest 1. After enabling Domainb in Name suffix routing tab, users from DomainB were successfully accessing resources in Domain1 using Kerberos without any credential prompt.
Users from both forest we're able to login successfully on workstations that were also members in both forests. But, when users from domain B were trying to access resources (file share \\server1.domain1.local\fileshare) in Domain1, there was a credential prompt requesting for valid username and password. On domain controllers in Domain1 Audit failure was logged with following details:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name: user@domainB.local
Account Domain: domainB.local
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name: cifs/server1.domain1.local
Service ID: NULL SID
Network Information:
Client Address: ::ffff:a.b.c.d
Client Port: 49783
Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0xffffffff
Failure Code: 0xc
Transited Services: -
From https://technet.microsoft.com/en-us/library/bb463166.aspx Failure code 0xC is KDC_ERR_POLICY.
I have successfully resolved this issue by enabling name suffix Domainb using Trust properties, Name Suffix Routing tab in Forest 1. After enabling Domainb in Name suffix routing tab, users from DomainB were successfully accessing resources in Domain1 using Kerberos without any credential prompt.