Exchange
--
Questions
--
Followers
Top Experts
ADFS: AADSTS50107: Requested federation realm object
http://contoso.NET/adfs/services/trust/ 'does not exist
contoso.com Federated Domain
contoso.net Managed Domain
we would like shared workstations to not login automatically in IE.. So of course we removed adfs.contoso.COM from intranet zone (and all zones for that matter)
Shared workstations are logged in with a mix of UPNs represented by these two examples (These are DirSynced to 365 but are not licensed):
1. Â foo1@contoso.com
2. Â foo2@contoso.net
The Intranet zone contains *.contoso.net
When shared workstation was logged in as foo2@contoso.net we would get the error in the screenshot (below)
So I changed the UPN suffix to foo2@contoso.com (replicated and dirsynced). Â
Out of 10 workstations 7 worked - users received WIA login prompt. Â The symptoms of the 3 that failed were:
1. Â User joe@contoso.com walks up to shared workstation and launches from IE, https://portal.office.com
2. Â He enters joe@contoso.com in username field and is automatically redirected to adfs.contoso.com
3. Â User receives no auth prompt and instead is now logged in to foo2@contoso.com's portal
Notes:
Convert-MsolDomainToFedera
Any assistance would be greatly appreciated.
Thank you.
contoso.com Federated Domain
contoso.net Managed Domain
we would like shared workstations to not login automatically in IE.. So of course we removed adfs.contoso.COM from intranet zone (and all zones for that matter)
Shared workstations are logged in with a mix of UPNs represented by these two examples (These are DirSynced to 365 but are not licensed):
1. Â foo1@contoso.com
2. Â foo2@contoso.net
The Intranet zone contains *.contoso.net
When shared workstation was logged in as foo2@contoso.net we would get the error in the screenshot (below)
So I changed the UPN suffix to foo2@contoso.com (replicated and dirsynced). Â
Out of 10 workstations 7 worked - users received WIA login prompt. Â The symptoms of the 3 that failed were:
1. Â User joe@contoso.com walks up to shared workstation and launches from IE, https://portal.office.com
2. Â He enters joe@contoso.com in username field and is automatically redirected to adfs.contoso.com
3. Â User receives no auth prompt and instead is now logged in to foo2@contoso.com's portal
Notes:
- contoso.com Federated Domain
- contoso.net Managed Domain
- contoso.net is AD Domain name
- when I originally federated, I used supportmultipledomain switch even though there is only one top level federated domain (as more will be federated one day)
- Thinking supportmultipledomain was a possible issue, I did this last night but it failed:
Convert-MsolDomainToStandard -DomainName contoso.com -SkipUserConversion:$true -PasswordFile afile.txt
Convert-MsolDomainToFederated -DomainName contoso.comConvert-MsolDomainToFedera
Any assistance would be greatly appreciated.
Thank you.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
I think this comes down to a cookie issue.
You may have to restrict users to only using In-private mode so that IE doesn't use existing cookies. Â At the very least, have joe@contoso.com launch IE using In-private mode and see if he can log in correctly.
You may have to restrict users to only using In-private mode so that IE doesn't use existing cookies. Â At the very least, have joe@contoso.com launch IE using In-private mode and see if he can log in correctly.
Thank you for your reply.
GPOs prevent that unfortunately. Â And that would be a bit unmanageable - thousands of workstations.
I cleared the cookies and tried again and still the same issue anyway.
I also ran klist purge.
GPOs prevent that unfortunately. Â And that would be a bit unmanageable - thousands of workstations.
I cleared the cookies and tried again and still the same issue anyway.
I also ran klist purge.
Could this have anything to do with kerberos 10 hour ticket duration?
I am confused why *.contoso.net in the intranet zone AND the shared workstation login foo@contoso.net would clash.. I thought to prevent autologin was simply to remove adfs.contoso.com (the url for ADFS) from intranet zone.
This has me baffled.
I am confused why *.contoso.net in the intranet zone AND the shared workstation login foo@contoso.net would clash.. I thought to prevent autologin was simply to remove adfs.contoso.com (the url for ADFS) from intranet zone.
This has me baffled.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
The only way I see that logging on to the portal with foo2@contoso.net would get you a redirect to adfs.contoso.net would be if that domain (contoso.net) was set up for federation.
I have observed the issue with logging on to the portal with different usernames but still connecting as the one user (all while logged on to the workstation as a single user). Â Unfortunately I can't say what would be all the possible causes. Â A different browser or In-private mode have been my workarounds in that case.
When you say "shared workstations", what do  you mean exactly?  Just the workstations are shared (multiple people using the machine under their own login), or are the logins shared as well (multiple using the same machine, all logged on to the machine as the same account)?
I have observed the issue with logging on to the portal with different usernames but still connecting as the one user (all while logged on to the workstation as a single user). Â Unfortunately I can't say what would be all the possible causes. Â A different browser or In-private mode have been my workarounds in that case.
When you say "shared workstations", what do  you mean exactly?  Just the workstations are shared (multiple people using the machine under their own login), or are the logins shared as well (multiple using the same machine, all logged on to the machine as the same account)?
thank you.
Shared Workstations are one login and it stays logged in... multiple users walk up and use OWA
Shared Workstations are one login and it stays logged in... multiple users walk up and use OWA
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
So as it turns out.. and, this is on me for not knowing this..
When using Site to Zone Assignments
contoso.com   is the exact same as   *.contoso.com
both are considered wildcards for contoso.com
When using Site to Zone Assignments
contoso.com   is the exact same as   *.contoso.com
both are considered wildcards for contoso.com
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Exchange
--
Questions
--
Followers
Top Experts
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.