Wia authentication with alternate login RRS feed

  • Question

  • hello guys,
    I have an issue with WIA and alternate login and here is my configuration :
    2 forest with bidirectional trust (windows 2008 R2) ForestA and ForestB
    Adfs 3.0 installed in DomainA (ForestA)
    Alternate login = extensionAttribute1(mail)
    Users are present in both Forests DomainA and DomainB (due to application compatibility)
    Azure AD connect provision user from DomainA and join user from DomainB
    extensionAttribute1 is present only in DomainA
    scenario :
    If John Doe open a session in DomainA and try to connect to SPO, the WIA succeed
    but if Jon Doe open a session in DomainB and try to connect to SPO, the WIA fails.
    How can I modify the O365 claims rules to do a query for the windowsaccountname where the extensionAttribute1 is not null.
    example in SQL style :
    SELECT extensionAttribute1, ObjectGuid FROM 'Active Directory'
    WHERE samAccountName='Username' AND (extensionAttribute1 is not null or extensionattribute1 <> ‘’);

    Wednesday, March 15, 2017 5:46 PM

All replies

  • Before looking more in details in your scenario make sure you are aware of the limitations of using Alternate Login ID with Office 365 workloads: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configuring-alternate-login-id

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 15, 2017 8:27 PM
  • Hi ADelon,

    For users logging in from DomainB you will need to update the NameID and the ImmutableID claims to replace them with the appropriate value ObjectGuid from DomainA. I would suggest that you simply copy these values from DomainA onto an attribute on the users in DomainB and look them up using a standard LDAP query.

    Good Luck!


    Wednesday, March 15, 2017 8:39 PM
  • Thank you very much guys for your answers,

    Pierre, this is a temporary situation, the target is clean, we will connect to a single forest and use only the UPN.

    Shane, do you have an example of claim rule to provide ?

    Friday, March 17, 2017 9:41 AM