ADFS 3 - Cross Forest Sec Group Membership Claim RRS feed

  • Question

  • Hi there,

    I'm hoping someone can help me with this and that I'm in the right place.

    For a number of reasons we have the following set-up.

    General Office Domain:
    This domain contains our standard user objects, these users are what we want to authenticate to ADFS with.

    Division Domain
    This domain is for a specific division and is where we want to control ADFS access through the use of security group membership.

    The ADFS server is set-up in the Division Domain.

    Currently there is a 2 way, forest trust between the 2 domains.

    A computer client joined to the General Office Domain and logged in with a user also in the General Office Domain can successfully authenticate to the ADFS server in the Division Domain, this is all fine.

    What I would like to do and what I'm having issues with is the following...

    We have a number of security groups in the Division Domain, we have made users from the General Office Domain members of these groups.

    In ADFS I would like to query the group membership in the Division Domain of the incoming claim type of windowsaccountname. I think this failing because the General Office Domain user object that is a member of a group in the Division Domain is actually a place holder and not the actual user object. When ADFS is checking for group membership of the windowsaccountname, it's not finding the user as a member of the groups in the Division Domain.

    How would I get ADFS to retrieve/match group membership information of a user object (from a different forest) that has been made a member of a group?

    I can see that on the place holder object that is a member of the group, there is the objectSID attribute which ties it back to the actual user object in the General Office Domain but I've no idea if it's possible to get ADFS to match this or not.

    I hope this makes sense to people.

    Monday, May 16, 2016 11:24 AM