ADFS [aad connect] cannot authenticate user throught alternative upn

Roman Havryliuk 41 Reputation points
2021-08-25T12:34:39.277+00:00

Hello, guys.
In Azure I have several domains, two of them with federated status, like
domain1.com
domain2.com

On premise i have one domain domain1.com, with alternative upn suffix domain2.com, but all users set primary upn domain1.com

AzureAD connect send users to azure with main upn like
user1@domain1.com
user2@domain1.com etc.

So, when i try to log in on office.com, with login user1@domain1.com it works well, its send me to premise adfs and all good.

But when i try to log in with alternative upn, user1@domain2.com, cloud (office.com) validate this login, but in adfs its says:

Incorrect user ID or password. Type the correct user ID and password, and try again.

In adfs logs appear exceptions:

eventid 342
Token validation failed.

Additional Data

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
user1@domain2.com-The user name or password is incorrect

then
warning event id 1000

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

and
eventid 364

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: user1@domain2.com-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain2.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,209 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,822 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Roman Havryliuk 41 Reputation points
    2021-08-25T13:24:46.727+00:00

    Commandlet gives this outoutput

    Get-MsolDomainFederationSettings -DomainName "domain2.com"
    ActiveLogOnUri : https://adfs.domain1.com/adfs/services/trust/2005/usernamemixed
    DefaultInteractiveAuthenticationMethod :
    FederationBrandName : adfs.domain1.com
    IssuerUri : http://domain2.com/adfs/services/trust/
    LogOffUri : https://adfs.domain1.com/adfs/ls/
    MetadataExchangeUri : https://adfs.domain1.com/adfs/services/trust/mex
    NextSigningCertificate :
    OpenIdConnectDiscoveryEndpoint :
    PassiveLogOnUri : https://adfs.domain1.com/adfs/ls/

    0 comments No comments