Using multi-factor authentication when there are selective cross-forest trusts
If you have domains in different forests that have a two-way selective trust relationship, any computer or user accounts that are used to log on to the remote forest must be granted the “Allowed to authenticate” right on the domain controllers in both forests to get role information.
In addition to granting the “Allowed to authenticate” right to users and to computers with the Centrify Agent for Windows installed, the right must also be granted to computers that host your Centrify connectors.
After you grant these computers and users the “Allowed to authenticate” right for the domains in both forests, users that are assigned a role with a multi-factor authentication right for login and privilege elevation will be able to authenticate using any of the authentication mechanisms that you have assigned to them.
If a connector is not allowed to authenticate on the remote domain controller, some multi-factor authentication mechanisms may fail to authenticate users.