Forum Discussion

Brass Contributor

Feb 27, 2018

Solved

Office 365 authentication with single tenant and multiple forests without AD trusts

Hi, We have the following situation: - 3 dedicated forests - 1 Office 365 tenant - AD trusts are not possible because of duplicated NETBIOS names I know that we can use Azure AD Connect...

Authentication

Azure AD

office 365

Pablo R. Ortiz
Feb 27, 2018
If you cannot establish trusts between your forests then you will have to federate them separately, deploying different ADFS for each forest. After that you can establish different trusts with Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple-domains

Patrick B

Brass Contributor

Feb 27, 2018

Hi,

Thanks for your reply. That sounds good. Do you know if it is also working with Pass-Through Authentication?

Kind regards

Patrick

Pablo R. Ortiz

Iron Contributor

Feb 27, 2018

No, sorry. Pass-through authentication requires Trust between your forests.

Pablo R. Ortiz
Iron Contributor
Feb 27, 2018
You could try Seamless Single Sign-On with a different authentication method

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
- Patrick B
  Brass Contributor
  Feb 27, 2018
  Ok thanks. Than we have to use password sync but I think this is not an option. Than ADFS is the only option.
  
  I thought the article you posted was just about setting up different top-level domains (or sub-domains). But that doesn't say anything about multiple ADFS servers in different forests?
  
  Kind regards
  
  Patrick
  - Pablo R. Ortiz
    Iron Contributor
    Feb 27, 2018
    If you want federation, you need ADFS, but you have several forests with no trusts between them, that's why you need separate ADFS for each forest.