Hello, guys.
In Azure I have several domains, two of them with federated status, like
domain1.com
domain2.com
On premise i have one domain domain1.com, with alternative upn suffix domain2.com, but all users set primary upn domain1.com
AzureAD connect send users to azure with main upn like
user1@domain1.com
user2@domain1.com etc.
So, when i try to log in on office.com, with login user1@domain1.com it works well, its send me to premise adfs and all good.
But when i try to log in with alternative upn, user1@domain2.com, cloud (office.com) validate this login, but in adfs its says:
Incorrect user ID or password. Type the correct user ID and password, and try again.
In adfs logs appear exceptions:
eventid 342
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
user1@domain2.com-The user name or password is incorrect
then
warning event id 1000
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.
and
eventid 364
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
urn:federation:MicrosoftOnline
Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: user1@domain2.com-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain2.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect