locked
One ADFS 3.0 farm many AD trusted domains RRS feed

  • Question

  • Hello,

    Does anybody managed to make to work one ADFS 3.0 farm connected to O365 and authenticating several AD trusted (two-way) domains?

    I am getting errors in the log of ADFS Security (Ivent ID: 4625 ) 

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: user@domain.lt
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Users, that are on the same AD domain as ADFS farm (internal) servers can log in into ADFS test page successfully. 

    Regards,

    Gediminas

    Friday, April 14, 2017 11:23 AM

All replies

  • It looks like general authentication problem, than ADFS authentication.

    I have seen many deployment of ADFS for multiple forest. Can user authenticate in ADFS forest, keeping ADFS out of picture? You can collect network traces from ADFS server and filter Kerberos traffic, do you see some errors?

    On ADFS server, try following command

    runas /user:domain\username cmd.exe

    see if user can authenticate.

    Thursday, July 13, 2017 8:21 AM
  • Yes it can authenticate using simple login to other forest.

    I actually solved this case with a help of MS premier support. Trusts must be "Forest" type (we had external trust type), also pre-windows 2000 group must have a member "authenticated users" 

    Regards,

    Gediminas

    Thursday, July 13, 2017 11:31 AM