![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 65%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello BlackCat,
Thank you for your question and for reaching out with your question today.
Yes, Active Directory Federation Services (ADFS) can authenticate users with AD Selective Authentication setup. However, there are some considerations and requirements to keep in mind when using ADFS with Selective Authentication.
Selective Authentication is a security feature in Active Directory that allows administrators to limit the users or groups who can authenticate to resources in a trusted domain. With Selective Authentication, you can control which users in a trusted domain can access resources in another domain with which they have a trust relationship.
When using ADFS with Selective Authentication, the key requirement is to ensure that the user accounts or groups that need to be authenticated by ADFS are allowed in the Selective Authentication settings of the trusted domain.
Here are the requirements and steps to make ADFS work with AD Selective Authentication:
- Configure Selective Authentication on the Trusted Domain: In the domain with the resources you want to access (the trusted domain), configure Selective Authentication to allow the necessary users or groups from the other domain to authenticate to resources in this domain. This setting is configured in the "Access Control Settings" of the trust properties.
- ADFS Service Account Permissions: The service account used by ADFS (often a domain account) must have the necessary permissions in both domains to authenticate users. This includes read access to user attributes necessary for authentication.
- ADFS Trust Relationship: Ensure that there is a trust relationship between the ADFS server's domain and the trusted domain. The trust must be properly established and functioning.
- ADFS Relying Party Trusts: Set up Relying Party Trusts in ADFS for the applications or services you want to authenticate users to.
- Claim Rules: Configure appropriate claim rules in ADFS to send the necessary claims to the Relying Party Trusts. The claim rules define what information is passed to the application after successful authentication.
- ADFS and Network Connectivity: Ensure that there is proper network connectivity between the ADFS server and the domain controllers in both domains.
- Testing and Troubleshooting: Test the authentication flow thoroughly and troubleshoot any issues that may arise during the configuration.
Please note that implementing Selective Authentication involves careful planning and considerations for security. Improper configuration of Selective Authentication can lead to authentication failures or security risks.
Always follow best practices, consult with your organization's security and Active Directory administrators, and thoroughly test the configuration in a lab or staging environment before making changes in a production environment.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Best regards.