question

frankywhy avatar image
0 Votes"
frankywhy asked frankywhy commented

ADFS [aad connect] cannot authenticate user throught alternative upn

Hello, guys.
In Azure I have several domains, two of them with federated status, like
domain1.com
domain2.com

On premise i have one domain domain1.com, with alternative upn suffix domain2.com, but all users set primary upn domain1.com

AzureAD connect send users to azure with main upn like
user1@domain1.com
user2@domain1.com etc.

So, when i try to log in on office.com, with login user1@domain1.com it works well, its send me to premise adfs and all good.

But when i try to log in with alternative upn, user1@domain2.com, cloud (office.com) validate this login, but in adfs its says:

Incorrect user ID or password. Type the correct user ID and password, and try again.

In adfs logs appear exceptions:

eventid 342
Token validation failed.

Additional Data

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
user1@domain2.com-The user name or password is incorrect

then
warning event id 1000

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

and
eventid 364

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: user1@domain2.com-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain2.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect


adfsazure-ad-authenticationadfs-to-aad-migration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So after some investigation, found that on dc appear new event:

A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: user1@domain2.com
Supplied Realm Name: domain1.com
User ID: NULL SID

Service Information:
Service Name: krbtgt/domain1.com
Service ID: NULL SID

Network Information:
Client Address: ::ffff:10.10.10.10
Client Port: 62268

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

0 Votes 0 ·

1 Answer

frankywhy avatar image
0 Votes"
frankywhy answered

Commandlet gives this outoutput

Get-MsolDomainFederationSettings -DomainName "domain2.com"
ActiveLogOnUri : https://adfs.domain1.com/adfs/services/trust/2005/usernamemixed
DefaultInteractiveAuthenticationMethod :
FederationBrandName : adfs.domain1.com
IssuerUri : http://domain2.com/adfs/services/trust/
LogOffUri : https://adfs.domain1.com/adfs/ls/
MetadataExchangeUri : https://adfs.domain1.com/adfs/services/trust/mex
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://adfs.domain1.com/adfs/ls/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.