This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 71%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Hello, guys.
In Azure I have several domains, two of them with federated status, like
domain1.com
domain2.com
On premise i have one domain domain1.com, with alternative upn suffix domain2.com, but all users set primary upn domain1.com
AzureAD connect send users to azure with main upn like
user1@domain1.com
user2@domain1.com etc.
So, when i try to log in on office.com, with login user1@domain1.com it works well, its send me to premise adfs and all good.
But when i try to log in with alternative upn, user1@domain2.com, cloud (office.com) validate this login, but in adfs its says:
Incorrect user ID or password. Type the correct user ID and password, and try again.
In adfs logs appear exceptions:
eventid 342
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
user1@domain2.com-The user name or password is incorrect
then
warning event id 1000
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.
and
eventid 364
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
urn:federation:MicrosoftOnline
Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: user1@domain2.com-The user name or password is incorrect ---> System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain2.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
So after some investigation, found that on dc appear new event:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: user1@domain2.com
Supplied Realm Name: domain1.com
User ID: NULL SID
Service Information:
Service Name: krbtgt/domain1.com
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.10.10.10
Client Port: 62268
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
Commandlet gives this outoutput
Get-MsolDomainFederationSettings -DomainName "domain2.com"
ActiveLogOnUri : https://adfs.domain1.com/adfs/services/trust/2005/usernamemixed
DefaultInteractiveAuthenticationMethod :
FederationBrandName : adfs.domain1.com
IssuerUri : http://domain2.com/adfs/services/trust/
LogOffUri : https://adfs.domain1.com/adfs/ls/
MetadataExchangeUri : https://adfs.domain1.com/adfs/services/trust/mex
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://adfs.domain1.com/adfs/ls/