When a user logs on to a domain in which trust relationships are established between domains, the account is verified by the process of pass-through authentication. Pass-through authentication makes it possible for users to log on from machines or domains in which they have no account. With pass-through authentication, a user can have an account on only one domain and still access the entire network—including all its trusted domains.
When a user logs on to a resource (trusting) domain, an access token containing the user's SID will be passed on to the account (trusted) domain. Authentication of both the user's identity and password will actually take place within the account domain, hence the name pass-through authentication. This mechanism effectively allows a user to have an account in only one domain and yet access the entire network using trusted domains.
For example, in a large network consisting of several domains linked by trust relationships, a user can log on at a machine in Domain A and be verified by the user accounts database in Domain B.
Pass-through authentication occurs under one of these circumstances:
It does not matter where the users are physically located. It only matters where their accounts reside. As long as a user has an account in the trusted domain, the user can log on from anywhere in any domain, provided that the domain is connected by a trust to the account domain. In other words, users can log on from any trusting domain as long as they log on to the trusted account domain.
For more information on pass-through authentication and how accounts are actually verified, see the Windows NT Resource Kit, Volume 2: Windows NT Networking Guide.