Forum Discussion

Stephan Bisser's avatar
Stephan Bisser
Copper Contributor
Mar 15, 2018

O365 Multi forest ADFS <> Domain Controller Communication

We currently have the following setup: 2 AD forests (with a 2way trust) Contoso.com Fabrikam.com ADFS & AADC deployed in the Contoso.com forest connected to the O365 tenant AADC is s...
office 365
Deleted's avatar
Deleted
Aug 17, 2018

I'm thinking client to ADFS server communications from the fabrikam.com clients in the other forest to the ADFS server(s) in contoso.com are also required by:

- Opening port 443 on the firewall so the fabrikam.com clients can talk to adfs.contoso.com over HTTPS.

- Use split DNS and a conditional forwarder to adfs.contoso.com in the fabrikam.com DNS servers so they can resolve the address across the VPN/direct tunnel, if it exists. 

- Adding adfs.contoso.com to the Intranet zone for fabrikam.com clients via GPO.

- fabrikam.com clients should bypass proxies when accessing adfs.contoso.com.

 

Will test this in my lab and get back with the results.

Deleted's avatar
Deleted
Aug 17, 2018

Yes I got this working! I used all of the ports listed in the AD section here (https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows#4) and also added Kerberos tcp/88. I also implemented the other communications I suggested and SSO to office.com from the trusted forest works beautifully.

Resources