How To ADFS Alternate Login ID

As mentioned earlier Windows Server 2012 R2 brings ADFS Version 3.0 and now lets have a look a little closer at the necessary steps for activating Alternate Login ID with Active Directory Federation Service.

The feature Alternate Login ID came with Update 1 to Windows Server 2012 R2, so you’ll need to install each update in the right order or install every update from Windows Update Services.

Source: Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Source: Windows Server 2012 R2 Update (KB2919355)

The Updates need to be installed in the right order, so here it is:


But if you haven’t installed them your 2012 R2 Server you might not have the prereqs for this update: KB2919442.

After installing the Server 2012 R2, ADFS 3.0 and all the updates abow, we can configure the Alternate Login ID With PowerShell.

Open PowerShell in your ADFS Server and you should have PowerShell cmdlets for ADFS.

Command: Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID <attribute> -LookupForests <forestname>,<forestname>

Example: Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests


Commonly we would like to use the users email address, because they ain’t familiar wth their User Principal Name and they are bound to use credentials when they ain’t using a Domain Joined Device. For example a home computer, ipad, surface rt or smart phone. It will also fall back to Active Federation when using Applications not supporting Passive Federation.

Anyway, the Alternate Login ID must be in the format of an email address and that is also a reason to use the mail attribute.

The LookupForests is the Forest Name, these days are often Public routeable domains, but we often see .local domains.


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts