This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have a ADFS with 2 trusted AD forest, the forest that the ADFS Server belongs to can login and go to the appropriate page, but when enter another user credential at another AD forest, that will redirect to login page, but sometime the problem disappear and exist again after reboot the ADFS Server.
What is the problem?
Check if the Kerberos Pre-Authentication is failing due to incompatible encryption types:-
Try to configuring these for AES128 AES256 and RC4 and then re-enable pre-authentication on the service account, ADFS login/authentication worked correctly.
Thanks for your solution, but after checked, the Kerberos Pre-Authentication is not the reason to occur the problem, actually users is login successful but the ADFS will redirect to login page immediately, and there no any error log regarding login or authentication fail.
But sometime (a short time), the problem is gone, which the users in another AD forest can login and return to correct page. And the problem only occur for the users at another ADS forest that ADFS not belong to, but both AD forest are trusted.
Thanks for your solution, after I checked, the problem is not fixed, and the problem is not occur by Kerberos Pre-Authentication as I found that those login is success but the ADFS redirect to login page immediately, and there no error regarding login or authentication problem.
But the problem may disappear a short time, which mean the users at another AD forest can login can redirect to correct page.
And the problem occur only for the users at another AD forest but both AD forest are trusted.
Thant's not what was suggested. It is not whether pre-authentication is disabled or not. Is whether the encryption type used for pre-authentication is compatible or not.
But let's step back and give us some logs :)
If that's the encryption type, enable the Kerberos logging. And check the System event log once you have repro the problem. It will show you Kerberos encryption errors if that's the case.
And if that's really authentication related, we should see some 4625 in the Security event logs for that user. Share those logs (including the error code sub status). It will tell us what's going on.
Also check the AD FS/Admin logs in case it throws something interesting.