cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Office 365 authentication with single tenant and multiple forests without AD trusts

Patrick B
Brass Contributor

‎Feb 27 2018 03:55 AM - last edited on ‎Feb 01 2023 01:36 PM by

‎Feb 27 2018 03:55 AM - last edited on ‎Feb 01 2023 01:36 PM by

Office 365 authentication with single tenant and multiple forests without AD trusts

Hi,

We have the following situation:

- 3 dedicated forests

- 1 Office 365 tenant

- AD trusts are not possible because of duplicated NETBIOS names

 

I know that we can use Azure AD Connect (1 instance) for alle 3 domains without trusts but what is about authentication? As far as I know AD FS and Pass-Through Authentication need AD trusts between the forests? What possible authentication scenarios are available for that environment (without AD trusts)?

 

Kind regards
Patrick

9,852 Views
0 Likes
9 Replies
Reply
9 Replies
best response confirmed by Patrick B (Brass Contributor)
Pablo R. Ortiz

‎Feb 27 2018 05:02 AM

‎Feb 27 2018 05:02 AM

Solution

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

If you cannot establish trusts between your forests then you will have to federate them separately, deploying different ADFS for each forest. After that you can establish different trusts with Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple...

0 Likes
Reply
Patrick B

‎Feb 27 2018 05:40 AM - edited ‎Feb 27 2018 06:10 AM

‎Feb 27 2018 05:40 AM - edited ‎Feb 27 2018 06:10 AM

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

Hi,

Thanks for your reply. That sounds good. Do you know if it is also working with Pass-Through Authentication?

 

Kind regards

Patrick

0 Likes
Reply
Pablo R. Ortiz

‎Feb 27 2018 05:54 AM

‎Feb 27 2018 05:54 AM

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

No, sorry. Pass-through authentication requires Trust between your forests.

0 Likes
Reply
Patrick B

‎Feb 27 2018 06:11 AM - edited ‎Feb 27 2018 06:11 AM

‎Feb 27 2018 06:11 AM - edited ‎Feb 27 2018 06:11 AM

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

Ok thanks. Than we have to use password sync but I think this is not an option. Than ADFS is the only option.

 

I thought the article you posted was just about setting up different top-level domains (or sub-domains). But that doesn't say anything about multiple ADFS servers in different forests?

 

Kind regards

Patrick

0 Likes
Reply
Pablo R. Ortiz

‎Feb 27 2018 06:15 AM

‎Feb 27 2018 06:15 AM

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

If you want federation, you need ADFS, but you have several forests with no trusts between them, that's why you need separate ADFS for each forest.

0 Likes
Reply
Patrick B

‎Feb 27 2018 06:27 AM

‎Feb 27 2018 06:27 AM

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

Yeay, i understand that but I dont understand the context to the article you posted because its about multiple root-level-domains with ADFS. There is no info if it relevant for one ADFS farm and trusts or multiple ADFS farms without trusts.

 

Kind regards

Patrick

0 Likes
Reply
Pablo R. Ortiz

‎Feb 27 2018 06:29 AM

‎Feb 27 2018 06:29 AM

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

the article is just a guide for single ADFS farm, you will have to perform those steps in your multiple ADFS

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Patrick B (Brass Contributor)
Pablo R. Ortiz

‎Feb 27 2018 05:02 AM

‎Feb 27 2018 05:02 AM

Solution

Re: Office 365 authentication with single tenant and multiple forests without AD trusts

If you cannot establish trusts between your forests then you will have to federate them separately, deploying different ADFS for each forest. After that you can establish different trusts with Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple...

View solution in original post

0 Likes
Reply