ExtraSid Diamond Ticket: Patching Impacket for Fully Patched KDCs
You hold a child domain krbtgt key and you want forest root. The plan is an ExtraSid diamond ticket with the Enterprise Admins SID, then chase the referral to the root DC. On a fully patched forest it dies. The KDC returns 0x520 and your TGT gets purged from the cache.
The cause is impacket, not the trust. Here is the fix.