This article is related to the Exchange Online migration article I recently posted.
The customer involved uses several Windows domains. For this situation, two domains are relevant. The primary domain is connected to Office 365 using an Azure AD Connect server. The second domain is also populated to Office 365 using the same AADC server. The organization also uses an ADFS server farm for the authentication for several services, including Office 365.
When a user from the secondary domain tried to authenticate, he or she can only do that by specifying the full samaccountname as a username, including the domain portion of course, otherwise ADFS would be unable to locate the userdomain.
Using a UserPrincipalName, authentication for users from the secondary domain fails via ADFS.
A key thing to note here, the upn suffix in use by the users differs from the internal domain FQDN. When migrating to Exchange Online, you will want to have the UserPrincipalName equal to the primary SMTP address of the users. Practically, that will include custom upn suffixes being registered in Active Directory and users not having the default upn suffix in place.
Users in the primary domain can authenticate regardless of the upn suffix used in their upn.
The solution to this issue, is in the domain trust settings.
You will need to enable Name Suffix Routing for the upn suffixes in use:
- Open Active Directory Domains and Trusts
- Right click your domain, select properties
- Open the Trusts tab
- Select the trust involved (Outgoing or Incoming is not relevant)
- Click op Properties
- Open Name Suffix Routing tab
- Select the upn suffix you want to use for authentication via ADFS
- Click Enable
Voila, problem solved!
Leo's blog 