Feb 27 2018
03:55 AM
- last edited on
Feb 01 2023
01:36 PM
by
TechCommunityAP
Feb 27 2018
03:55 AM
- last edited on
Feb 01 2023
01:36 PM
by
TechCommunityAP
Hi,
We have the following situation:
- 3 dedicated forests
- 1 Office 365 tenant
- AD trusts are not possible because of duplicated NETBIOS names
I know that we can use Azure AD Connect (1 instance) for alle 3 domains without trusts but what is about authentication? As far as I know AD FS and Pass-Through Authentication need AD trusts between the forests? What possible authentication scenarios are available for that environment (without AD trusts)?
Kind regards
Patrick
Feb 27 2018 05:02 AM
SolutionIf you cannot establish trusts between your forests then you will have to federate them separately, deploying different ADFS for each forest. After that you can establish different trusts with Azure AD:
Feb 27 2018 05:40 AM - edited Feb 27 2018 06:10 AM
Hi,
Thanks for your reply. That sounds good. Do you know if it is also working with Pass-Through Authentication?
Kind regards
Patrick
Feb 27 2018 05:54 AM
No, sorry. Pass-through authentication requires Trust between your forests.
Feb 27 2018 06:01 AM
You could try Seamless Single Sign-On with a different authentication method
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Feb 27 2018 06:11 AM - edited Feb 27 2018 06:11 AM
Ok thanks. Than we have to use password sync but I think this is not an option. Than ADFS is the only option.
I thought the article you posted was just about setting up different top-level domains (or sub-domains). But that doesn't say anything about multiple ADFS servers in different forests?
Kind regards
Patrick
Feb 27 2018 06:15 AM
If you want federation, you need ADFS, but you have several forests with no trusts between them, that's why you need separate ADFS for each forest.
Feb 27 2018 06:27 AM
Yeay, i understand that but I dont understand the context to the article you posted because its about multiple root-level-domains with ADFS. There is no info if it relevant for one ADFS farm and trusts or multiple ADFS farms without trusts.
Kind regards
Patrick
Feb 27 2018 06:29 AM
the article is just a guide for single ADFS farm, you will have to perform those steps in your multiple ADFS
Feb 27 2018 07:07 AM
Feb 27 2018 05:02 AM
SolutionIf you cannot establish trusts between your forests then you will have to federate them separately, deploying different ADFS for each forest. After that you can establish different trusts with Azure AD: