Solved

ADFS 3.0 and UPN Problem

Posted on 2016-11-22
6
15 Views
Last Modified: 2016-11-24
I will do my best to describe our setup.

Windows 2012 R2 ADFS Proxy in the DMZ and one Windows 2012 R2 ADFS internal server. Our default UPN for all users is @child.domain.com (which is the name of our internal domain holding all user accounts) we are piloting o365 right now and about 50 users had to have their UPN's updated to @domain.com.  When these users try to access a host site that is setup on our ADFS server they are not able to authenticate. This worked perfectly up until their UPN was changed.

Question: how can I setup ADFS to have select user get authenticated using a different UPN than our default one.
0
Comment
Question by:compdigit44
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41897925
I ran into this before a while back. The problem ended up being caused by the users' cached credentials. Basically, disable credential caching on the ADFS server and it should resolve the issue for you. http://nerdsknowbest.blogspot.com/2013/04/how-to-disable-credential-caching-in.html
Let me know if it doesn't, though. It's been about 3 years since I ran into this issue, so I may be remembering the fix incorrectly (Another cause may be that the application you are authenticating to is using the old UPN as an identifier for the users, which would mean the user accounts in the application itself need to be modified to reflect the UPN change).
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41898046
Thank you for the feedback. I am not the greatest in ADFS so please bare with me.

So if our domain is child.domain.com and users default UPN is child.domain.com but we switch a hand full of users to domain.com this does not make a difference in ADFS?  

Where would I find this caching setting you are talking about?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41898439
Thank you for the tip you gave to me earlier.... After further research a I came around the following KB about disabling cahcing on the ADFS servers. What is the downside of doing this?

https://support.microsoft.com/en-us/kb/2535191
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41899045
The only downside is that users won't be able to log in if the ADFS server loses communication with a Domain Controller. That's generally a rare event, so it usually won't make a difference to disable credential caching in ADFS. In some ways it's actually preferable, since it ensures ADFS contacts a DC for each login.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41899858
Great thanks can you point me to documentation that states this which I could provide to my management as backup proof so they do not think I am making this up since by default ADFS caches credentials
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41900993
It's not actually ADFS caching the credentials. It's the Windows LSA system doing it. It's basically the same credential caching that happens when you log in to any windows system. If you look up windows credential caching you can get a good explanation of what goes on. The registry setting here is just modifying the number of credentials cached to 0.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now