Directory Programming .NET

A few points here:

• The normal account store boundary for Active Directory store in ADFS is the forest, not the domain.  If you have a bunch of single domain forests, then this might amount to the same thing, but I didn't want the terminology to get messed up here.  1 ADFS server-> 1 AD forest.
• If a user can successfully log in to the FS directly, they should also be able to log in to the proxy for the same FS.  The FS-P is just a proxy for the FS.

I'm still not clear on the gotchas associated with an FS authenticating AD users from a trusted forest of the account store for the FS.

As a quick test, not sure if this gives you what you want, I went to the external FS server and logged in as an internal user.  I see the internal domains in the domain drop down.  So I assume IWA to that box would work just fine.

All these domains are separate forests with trusts, so like you said this might amount to the same thing as one forest and many domains.

I pointed the internal user/computer to the FS instead of the FSP for the external domain.  It worked as you said, I can get automatically logged in as an internal user directly to the external FS with IWA.

However, when this internal user is coming from the internet from home and wants to login, they'll need to login to the proxy FBA page.  It seems that out of the box ADFS doesn't support this.  Interestingly, I can login with just username, or username@domain, but only for external users.  username@domain syntax doesn't work for the internal domains on the proxy, while IWA does work for internal users.

I am guessing that it will take some custom code on the ext FSP login page to get it to work, but I have no idea where to start at this point.  If this can work, it would be a huge cost savings for the organization.

I'm confused by your first statement.  When you saw the home realm discovery page with the list of federation servers, did you select the external FS or the internal FS?  The fact that you have ADFS servers for each forest confuses the scenario a bit.  It would probably be better if you disabled the partner federation servers and made sure that there was just one involved here.

The FSP *should* be able to log in a user from a trusted forest using their UPN as the account name format.  The fact that it cannot is a little weird and makes me wonder what else is wrong.  Checking the logs on the FS during this transaction might provide some useful info.

ok, I'll try to clarify.  I have an internal domain user logged into their internal domain computer.

the web server (resource) they are contacting is in the external domain

normally this user would have to login via the internal proxy's FBA page (their domains respective FSP), but I pointed their HOSTS file to go directly to the External FS (instead of Ext Proxy, same DNS name different IP) and it allowed them to login automatically via IWA

the user never saw the discovery page, IWA was automatic (besides the few trusted site click throughs I did)

so IWA works for the internal domains on the external FS, but internal users don't seem to be able to login to the FBA on the proxy server.  Perhaps I have disabled something and it broke that ability.

out of the box should users have to use UPN to login to the proxy?  perhaps that is what I changed, my users can just use their login name without the domain to login.

I will turn off the other FS servers and see what happens

ok it failed, which means you were right if you were thinking it was just hopping in the background back to its own FS to login

when I pointed them back to the proxy they still couldn't login with their UPN

here is my log, from the external FS server

2008-07-03T13:23:50 [INFO] Processing HTTP POST: https://www.ext-fs.com/adfs/fs/FederationServerService.asmx
2008-07-03T13:23:50 [VERBOSE] Received message that is not SignIn Request or Response.
2008-07-03T13:23:50 [INFO] InternalRST: target = https://www.extweb.com/, credtype = urn:oasis:names:tc:SAML:1.0:am:password, userhint = nate@int, store =
2008-07-03T13:23:50 [INFO] GetClaimsFromSids called: target: https://www.extweb.com/; userSamName: INT\nate; sid: S-1-5-21-3970966020-274016848-2548625528-1105
2008-07-03T13:23:50 [VERBOSE] GetClaimsFromSids: received group sids:
2008-07-03T13:23:50 [VERBOSE]      S-1-5-21-3970966020-274016848-2548625528-513
2008-07-03T13:23:50 [VERBOSE]      S-1-1-0
2008-07-03T13:23:50 [VERBOSE]      S-1-5-21-62673804-201390620-4154673635-1008
2008-07-03T13:23:50 [VERBOSE]      S-1-5-32-545
2008-07-03T13:23:50 [VERBOSE]      S-1-5-2
2008-07-03T13:23:50 [VERBOSE]      S-1-5-11
2008-07-03T13:23:50 [VERBOSE]      S-1-5-15
2008-07-03T13:23:50 [VERBOSE]      S-1-5-5-0-4293370
2008-07-03T13:23:50 [VERBOSE]      S-1-5-21-3970966020-274016848-2548625528-1112
2008-07-03T13:23:50 [VERBOSE]      S-1-5-64-10
2008-07-03T13:23:50 [INFO] GetClaimsForUserNameWorker (LDAP): called for user INT\nate
2008-07-03T13:23:50 [VERBOSE] GetClaimsForUserNameWorker: Using DNS domain intdom.com for Netbios domain INT for user INT\nate/nate
2008-07-03T13:23:50 [VERBOSE] GetClaimsForUserNameWorker (LDAP): Got COMException 18446744071562534944: An operations error occurred. (Exception from HRESULT: 0x80072020)
2008-07-03T13:23:50 [INFO] AccountStoreCollection.InternalGetClaimsForUser: User nate@int logon handled authoritatively with LdapFailed by selected store urn:federation:activedirectory
2008-07-03T13:23:57 [INFO] Processing HTTP POST: https://www.ext-fs.com/adfs/fs/FederationServerService.asmx
2008-07-03T13:23:57 [VERBOSE] Received message that is not SignIn Request or Response.
2008-07-03T13:23:57 [INFO] InternalRST: target = https://www.extweb.com/, credtype = urn:oasis:names:tc:SAML:1.0:am:password, userhint = nate@intdom.com, store =
2008-07-03T13:23:57 [INFO] GetClaimsFromSids called: target: https://www.extweb.com/; userSamName: INT\nate; sid: S-1-5-21-3970966020-274016848-2548625528-1105
2008-07-03T13:23:57 [VERBOSE] GetClaimsFromSids: received group sids:
2008-07-03T13:23:57 [VERBOSE]      S-1-5-21-3970966020-274016848-2548625528-513
2008-07-03T13:23:57 [VERBOSE]      S-1-1-0
2008-07-03T13:23:57 [VERBOSE]      S-1-5-21-62673804-201390620-4154673635-1008
2008-07-03T13:23:57 [VERBOSE]      S-1-5-32-545
2008-07-03T13:23:57 [VERBOSE]      S-1-5-2
2008-07-03T13:23:57 [VERBOSE]      S-1-5-11
2008-07-03T13:23:57 [VERBOSE]      S-1-5-15
2008-07-03T13:23:57 [VERBOSE]      S-1-5-5-0-4293451
2008-07-03T13:23:57 [VERBOSE]      S-1-5-21-3970966020-274016848-2548625528-1112
2008-07-03T13:23:57 [VERBOSE]      S-1-5-64-10
2008-07-03T13:23:57 [INFO] GetClaimsForUserNameWorker (LDAP): called for user INT\nate
2008-07-03T13:23:57 [VERBOSE] GetClaimsForUserNameWorker: Using DNS domain intdom.com for Netbios domain INT for user INT\nate/nate
2008-07-03T13:23:57 [VERBOSE] GetClaimsForUserNameWorker (LDAP): Got COMException 18446744071562534944: An operations error occurred. (Exception from HRESULT: 0x80072020)
2008-07-03T13:23:57 [INFO] AccountStoreCollection.InternalGetClaimsForUser: User nate@intdom.com logon handled authoritatively with LdapFailed by selected store urn:federation:activedirectory

I'm not sure what that COM exception is

The operations error is common in cases where an LDAP client attempts to perform an operation without having successfully authenticated.  It happens frequently as a result of a failed negotiate login to the server.  In this case, that could happen if the app pool ID for fed server isn't a domain identity or in a domain trusted by the LDAP server it is trying to contact.  Normally, ADFS uses network service which in turn is the machine account, so usually this isn't a problem.  I'm a little surprised that the authentication is failing, especially since it is clear that the fed server can resolve the username from nate@intdom.com to int\nate via RPC.

Getting a network capture of the LDAP traffic would help as well as seeing what happened at the DC with the authentication. 

If this could be solved though, it looks like the FS might be able to query claims in a foreign forest.  It still remains to be seen whether you'd want to try to do that though.