Is it possible: ADFS, SharePoint 2013, KCD RRS feed

  • Question

  • Is the following scenario possible?

    Site A:

    • Active Directory domain a.local
    • SharePoint 2013 on Kerberos
    • ADFS 3.0
    • WAP
    • KCD configured
    • Relying Party Trust to SharePoint Web Application (test.a.com)
    • Web Application published through WAP successfully
    • Claims Provider Trust to ADFS in Site B
    • Pass-through claims configured on RP Trust and CP Trust (e-mail address)
    • LDAP claims configured on CP Trust (e-mail address)

    Site B:

    • Active Directory domain b.local
    • ADFS 3.0
    • WAP
    • Relying Party Trust to ADFS in site A
    • Pass-through claims configured on RP Trust (e-mail address)

    When I browse to test.a.com I can select the right (external) claims provider trust and login with a user from domain b.local. When I do this I receive an HTTP error 500.

    When I select the (internal) claims provider trust and login with a user from domain a.local everything works fine.

    Is this scenario possible when using Kerberos? How is the mapping done between a user from domain b.local and domain a.local?

    Thanks in advance!

    Monday, November 7, 2016 3:40 PM


  • There is no mapping. KCD works only for the Active Directory claim provider. There is no mapping. If b.local doesn't trust a.local, you cannot use KCD between those two domains.

    If you need to use users from b.local and do not wish to create a trust you could convert your SharePoint to a claim-based application.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Todd Heron Monday, November 7, 2016 5:25 PM
    • Marked as answer by S_Up3r Monday, November 7, 2016 7:36 PM
    Monday, November 7, 2016 3:44 PM