I have two AD forests with two-way trust (selective authentication): prod.com and clients.com.
Schemas in both forests were updated to Windows 2019 by adprep.
There are ADFS and WAP servers with Windows 2019 in prod.com. (Upgraded from Windows 2012 R2 farm by https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server)
ADFS configured as:
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests prod.com,clients.com.
Permission "Allowed to authenticated" on ADFS.prod.com was granted for all users from clients.com.
When ExtranetLockout is enabled on ADFS, users from clients.com can't sing-in using CLIENTS\username format, but can sign-in by email@example.com.
User receive errors 1210 and 516 in Security logs:
nBad Password Count:
nLast Bad Password Attempt:
1/1/0001 12:00:00 AM
It seems that ADFS can't find user clients\user1 or his attributes badPwdCount and badPasswordTime.
When ExtranetLockout is disabled, users from clients.com can sing-in as CLIENTS\username and firstname.lastname@example.org also.
Users from prod.com can always sing-in in any way regardless of ExtranetLockout setting.