Your network contains two Active Directory forests named contoso.com and fabrikam.com.
Each forest contains a single domain.
A two-way forest trust exists between the forests. Selective authentication is enabled on the
trust.
Contoso.com contains a group named Group 1.
Fabrikam.com contains a server named Server1.
You need to ensure that users in Group1 can access resources on Server1.
What should you modify?

A.
the permissions of the Group1 group

B.
the UPN suffixes of the contoso.com forest

C.
the UPN suffixes of the fabrikam.com forest

D.
the permissions of the Server1 computer account

Explanation:
Group1 must get the ‘Allowed To Authenticate’ permission on Server1, so I’d go for A, as
given.
Answer D may sound tempting, but it speaks of permissions of the Server1 computer
account.

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 643, 644
After you have selected Selective Authentication for the trust, no trusted users will be able to
access resources in the trusting domain, even if those users have been given permissions.
The users must also be assigned the Allowed To Authenticate permission on the computer
object in the domain.
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced
Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to
authenticate—that is, the computer that trusted users will log on to or that contains
resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the
Allow check box for the Allowed To Authenticate permission.