Cross Domain Authentication with ADFS (no domain trust)


Hi everybody,

yesterday i was asked whether it is possible to establish a cross domain authentication with ADFS.


  • Two different Windows Domains (A & B) without any trust configuration
  • Network access between Domains is established with IPSec Site2Site (all ports needs to be opened separately)
  • One specific Windows Service on a server in Domain A has to use an AD Account from Domain B for logon (Windows Service -> Logon -> This Account -> Account from Domain B)

Our partner doesn´t want to establish a domain trust due to security reasons and is therefore asking, if we could realize this athentication process through ADFS?

ADFS is quite new to me and i´m not sure if this scenario is even possible with ADFS?

Kind regards,

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,208 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

    You could use ADFS yes, as long as the application can use a federation protocol for authnetication.
    ADFS does not interact with IPSec though. It is network agnostic.

    You would have two options:

    1. Deploy ADFS in domain A, deploy ADFS in domain B, create a trust between the two (this does not require network connectivity, you can do it with exporting importing files). The user will have to be able to do IPSec though.
    2. Deploy ADFS in domain A only and create an LDAP provider for the domain B. User won't have SSO but they will be able to use their own account. In that scenario, not only the users will still need to do IPSec ontheir own, but the ADFS serverwill also need to do IPSec to reach the DCs on the other side.