This configuration parameter specifies whether you want to allow the agent to query trusted domains and forests for transitive trust information. The parameter’s value can be true or false. If you set this parameter to true, the adclient process generates a krb5.conf that includes information from all trusted forests and can be used to authenticate cross-forest users to Kerberos applications. If you set this parameter to false, the agent does not query external trusted domains or forests for information.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you are manually setting this parameter, the parameter value should be true or false. The default value is true. For example: true

Note:   Querying external trusted forests can take a significant amount of time if the other forests are blocked by firewalls. You may want to set this parameter to false if your trust relationships, network topology, or firewalls are not configured properly for access.