How To ADFS Alternate Login ID

As mentioned earlier Windows Server 2012 R2 brings ADFS Version 3.0 and now lets have a look a little closer at the necessary steps for activating Alternate Login ID with Active Directory Federation Service.

The feature Alternate Login ID came with Update 1 to Windows Server 2012 R2, so you’ll need to install each update in the right order or install every update from Windows Update Services.

Source: Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Source: Windows Server 2012 R2 Update (KB2919355)

The Updates need to be installed in the right order, so here it is:

Clearcompressionflag.exe
KB2919355
KB2932046
KB2959977
KB2937592
KB2938439
KB2934018

But if you haven’t installed them your 2012 R2 Server you might not have the prereqs for this update: KB2919442.

After installing the Server 2012 R2, ADFS 3.0 and all the updates abow, we can configure the Alternate Login ID With PowerShell.

Open PowerShell in your ADFS Server and you should have PowerShell cmdlets for ADFS.

Command: Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID <attribute> -LookupForests <forestname>,<forestname>

Example: Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID¬†mail -LookupForests knowledgefactory.com

 

Commonly we would like to use the users email address, because they ain’t familiar wth their User Principal Name and they are bound to use credentials when they ain’t using a Domain Joined Device. For example a home computer, ipad, surface rt or smart phone. It will also fall back to Active Federation when using Applications not supporting Passive Federation.

Anyway, the Alternate Login ID must be in the format of an email address and that is also a reason to use the mail attribute.

The LookupForests is the Forest Name, these days are often Public routeable domains, but we often see .local domains.

Leave a Comment