[keycloak-user] Keycloak authentication/authorization with multiple AD/forests/domains

We have several AD forest, and many domains. Devs want to use Keycloak for authentication/authorization. We also have to deal with some users having the same userid in more than 1 domain. We have trusts between our main/target domain and the other. Keycloak server is in the main domain. Users are used to log as domain\user but not user(a)fqdn.of.domain What would be the best to do that? If Keycloak Kerberos authentication is configured, is it possible to know from which domain the authenticated user is from to fetch more information from LDAP after that? Can we front Keycloak with an IIS with windows authentication and use the http session variables somehow in keycloak as the user is already authenticated? Other options?