locked
ADFS w 1 way trust. How to use different UPN for login? RRS feed

  • Question

  • This doesn't seem like it should be that difficult but here's the situation:

    I have 2 domains, Prod and Dev.
    Dev trusts Prod.
    Prod does NOT trust Dev.
    ADFS is setup inside Dev, but running as a service account from Prod, which also has an SPN added for HOST/<fqdn adfs>, in PROD
    Within the PROD domain, I have multiple UPN's configured, however, the only one I can successfully login with is the actual domain name, that is, a successful login would be first.last@corp.ad.pvt, or CORP\first.last, but desired is the email address, which is first.last@company.com.

    Friday, July 6, 2018 1:54 PM

All replies

  • Greetings,

                      You can enable Alternate login ID in ADFS to address this requirement. Please find below the link.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id.

    Regards

    Eric


    Microsoft Forum Update

    Monday, July 9, 2018 7:16 AM
  • Thanks Eric-

    I did think about that and try that, but, re-reading the article did actually make me think about something- I had been trying to enable the user from the ADFS server in the Dev domain, reaching back to PROD, while logged in as a PROD user. Couldn't contact the PROD forest is the message I would get- but then it make sense in that A) it's a one-way trust, even logged in as a PROD user, the computer is not trusted and B) the user exists in the PROD domain, therefore I should log on to a PROD DC and enable the AltID from there. I'll give that a shot and report back.

    Wednesday, July 11, 2018 1:20 PM
  • Eric- one thing that struck me after talking with some others- if our ADFS server lives in DEV, but our users live in CORP, what does the command actually modify- the ADFS service or the users? 

    Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests PROD.com

    I ask because, if I run this from my DEV ADFS box, I get the message that the forest cannot be contacted- however, I can ping PROD.com with no problem. I could run this command from inside the PROD.com domain, but if it's an ADFS object that is being modified with this command(as we believe it is), it doesn't seem like it would do any good? I've already run the command in the DEV domain, but that doesn't seem to have any effect on PROD users.

    Wednesday, July 11, 2018 7:07 PM
  • Greetings,

    The Command modifies the Claims provider trust object in the ADFS server in which the command is run. 

    Since the users are in PROD forest, I presume that you already have a claims provider trust set up to point the USER forest's attribute store.

    One question keeps nagging me !!! where is the replying party application located ? in the PROD or in the DEV.

    Eric



    Microsoft Forum Update

    Thursday, July 12, 2018 11:43 AM