The one sure-fire way I've found to authenticate users that are on the other side of a one-way trust is with the LogonUserEx function in the advapi32.dll library. I know for sure that the LOGON32_LOGON_INTERACTIVE logon type works, and that the LOGON32_LOGON_BATCH does not. LogonUserEx accepts both domain and user name as separate arguments or a UPN for the user name with a null domain argument.
Now Kentico is a little weird in that they have two out of the box authentication providers, one for authenticating against the Kentico DB and another for logging onto AD using the ActiveDirectoryMembershipProvider in the System.Web.Security package. That provider does not seem to be able to log in anyone on the other end of a one-way trust. Now Kentico does not let you make a custom provider to use instead, but rather it requires that any custom authentication happen via an event handler.
The Kentico documentation is a little weak on how to make a custom event handler. Here's a link to what they have for Kentico 7 (which is about the same as for Kentico 6) - http://bit.ly/13DXrFA. The only other practical information about making the custom event handler is for Kentico 6, but it should work fine for Kentico 7, and can be found here - http://bit.ly/13DXLEc. As you can see from that link, the event to target is SecurityEvents.Authenticate.Execute.
Hope that helps.