We help IT Professionals succeed at work.

Sharepoint authentication cross forest

Hi

I have a domain (domain1.local) with adfs and sharepoint. I want to have some users that are part of another forest (domain2.local) authenticate through adfs to access sharepoint.
I have a full 2-way trust between the domains. Is there another configuration needed in the adfs side to get the authentication to work? I can add new claims and pinpoint to groups in the forest domain2.local, but i get the following error:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://intranat.externaldomain.se 

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: testuser@domain2.local-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: testuser@domain2.local ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
Comment
Watch Question

AlexA lack of information provides a lack of a decent solution.

Commented:
I have a domain (domain1.local) with adfs and sharepoint. I want to have some users that are part of another forest (domain2.local) authenticate through adfs to access sharepoint.


That's not indicative of another forest but another domain, can you please confirm?

Also, from my understanding you need to make sure that the UPN suffixes in each forest match the registered domain in Azure AD.
carlos sotoIT Administrator

Author

Commented:
hi alex

these are 2 different domains, in separate AD forest. These domains are not synchronized to Azure AD, they are only present locally.
So the scenario is:
user from dimain2.local authtenticates to adfs in domain1.local, to access sharepoint in domain1.local. In my understanding the adfs server, through a relaying party trust and a claim, should ask the domain controllers in domain2.local to verify the users credentials

am i wrong or am i missing something ?
br
Carlos
IT Administrator
Commented:
we solved the problem. The issue was that the user we tried with didnt have all the AD information populated. So the claim provider expected email attribute and our account didnt have it. So thats why the error.
The error message in the audit log wasnt so helpful