ADFS Authentication multiple forests

Question

I'm trying to get my head around the exact Authentication flow for multi-forest ADFS with Office 365. I'm familiar with the standard ADFS auth flow, it's just the nuance of how ADFS authenticates a user via a forest trust that I'm after clarity on.

Scenario:

2 forests, forest A has ADFS and AAD Sync deployed and has a transitive forest trust with forest B.

When a user from forest B authenticates, does ADFS authenticate directly with a forest B DC by way of a Kerberos referral or does it go via a DC in forest A which authenticates the remote forest B user on it's behalf?

As a result of this then, does ADFS need any connectivity to the Forest B DC's?

Thanks,

David

Answer 1

Hi David,

After consulting, ADFS server “goes via DC in forest A”, and then authenticate the user on forest B DC, through the trust.

ADFS does not need the connectivity to forest B DC.

Upon researching, no official article has clarified the multiple-forest ADFS authentication flow very deeply. As this is strictly related to on-premise ADFS configurations, I suggest you also post at our ADFS forum: social.technet.microsoft.com/.../home. They are more proficient at on-premise ADFS settings.

Thanks for your understanding and efforts.

Thanks,

Young

Answer 2

So as it happens this turned out to be wrong. I decided to build a lab to test, see my blog here.

davidsampson10.wordpress.com/.../

Answer 3

Thanks Young that is very helpful!

Answer 4

interesting post and helpful blog, I'd like to get further info for this scenario,

thank you David