0

We have an ADFS test enviroment set up, but we are running into issues with login prompts. If we browse to ADFS from Domain A we get a token sucessfully from ADFS, however when we browse from Domain B we are getting prompted for credentials.

Domain A trusts Domain B but Domain B does not trust Domain A.

The weird thing is, if we replace the full domain name with the server's IP address we can sucessfully get through from both domains. I feel like this should be a really simple solution, but we're stumped.

Brent Pabst
  • 6,069
  • 2
  • 24
  • 36
ncaudill
  • 1
  • 1

1 Answers1

1

Is Domain B in the intranet zone? If not it won't automatically login. Check your site to zone assignment policies.

Check this out: How can I disable the security warning when launching shortcuts stored in the user's profile stored on the server?

Community
  • 1
Brent Pabst
  • 6,069
  • 2
  • 24
  • 36
  • The site is in the Intranet Zone for all computers. – ncaudill Jun 04 '12 at 14:50
  • What domain is the user and computer located in when accessing Domain B? Since it works via IP double check your ADFS config, your relying parties may be wrong. – Brent Pabst Jun 04 '12 at 14:53
  • The site is sitting in Domain A. When coming from Domain B is where the problem occurs. The user and computer are both located in Domain B. The relying party appears to be correct. – ncaudill Jun 04 '12 at 14:55
  • I don't know anything about ADFS but I thought I'd ask anyway seeing as a Domain Trust is involved: What is the NetBIOS and FQDN names of both domains? What UPN suffixes are in use on each side? Could this be a UPN routing issue? – joeqwerty Jun 04 '12 at 16:08
  • @joeqwerty yea, I'm thinking along the same lines. Appears to be a trust related issue either at the DC level or Federation level. Not exactly sure why the IP works though, so UPN could be about right. – Brent Pabst Jun 04 '12 at 16:19
  • These suggestions aren’t applicable because we’re not using a forest trust. We’re using an external trust, so the UPN used is the destination domain. – ncaudill Jun 04 '12 at 19:46
  • @ncaudill I'm not sure how much more help I'm going to be with this. ADFS is hard to troubleshoot without having additional error logs, event logs and the actual ADFS config, which I'm sure you don't want to post online. – Brent Pabst Jun 04 '12 at 20:01
  • Yeah they're not going to let me do that. Thanks for the suggestions, we'll keep looking. – ncaudill Jun 04 '12 at 20:38