SharePoint
Feedback by UserVoice

I suggest you ....

← SharePoint Administration

Multilogon accounts

Provide support for multilogon accounts. Currently i:0#.w|domain\jdoe logging in with windows authentication is not the same as i:60.t|adfs|jdoe@domain.com. I need to be able to connect those accounts to ease out hybridisation.

10 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Piotr Siódmak shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Piotr Siódmak commented  ·   ·  Flag as inappropriate

    I just found out there's a concept of logon and resource domains. It would be great if I could set the local AD as both logon and resource domain and ADFS as a logon domain, so that the user who logs on with ADFS is still i:0#.w|domain\user instead of i:60.t|adfs|user@domain

    http://blogs.msdn.com/b/sambetts/archive/2015/04/29/sharepoint-logon-amp-resource-ad-connections.aspx - something exactli like that, but with ADFS. Maybe allow me to pass msDS-SourceObjectDN as a claim and treat it as the Master Account.

  • Piotr Siódmak commented  ·   ·  Flag as inappropriate

    The main scenario is that we want to implement ADFS, but also leave windows auth because some older solutions are not yet ready to move to SAML Authentication ("i:0#.w" is hardcoded and some query the UserInfo list directly, so having two profiles with the same email, name or SID will confuse them). I want the users to be able to log in with ADFS (O365 credentials), but sites which are not ready for it will show "you have to log in through here [URL] to use this feature".

    In that scenario I want domain\jdoe logged in through windows auth and jdoe@domain.com logged in through ADFS to be the same identity - same permissions, same mysite and same UserProfile object from User Profile Service to avoid confusion related to having two methods of entry to the system.

    Also it would be helpful in test environment scenario - where devs are forced to have a separate AD to install ADFS 3.0 - in that case I want test36\jdoe to be the same identity as company\jdoe without two way sync and with different SIDs so that when I restore a site from production to test all permissions are retained and testable.

    Thanks

  • Neil Hodgkinson [Sr. Program Manager, Microsoft] commented  ·   ·  Flag as inappropriate

    Piotr. Can you share a little more on your scenario. We have some key requirements for user rehydration in hybrid scenarios, mainly that the upn of the user should match. This should be the case if the source account domain is the same unless you are doing some claim remapping.

SharePoint Administration: Security

Categories

Feedback and Knowledge Base

(thinking…)


SharePoint Tech Community

UserVoice Terms of Service & Privacy Policy