Yesterday I was asked whether it is possible to establish a cross domain authentication with ADFS.


  • Two different Windows Domains (A & B) without any trust configuration
  • Network access between Domains is established with IPSec Site2Site (all ports needs to be opened separately)
  • One specific Windows Service on a server in Domain A has to use an AD Account from Domain B for logon (Windows Service -> Logon -> This Account -> Account from Domain B)

Our partner doesn´t want to establish a domain trust due to security reasons and is therefore asking if we could realize this authentication process through ADFS?

ADFS is quite new to me and I'm not sure if this scenario is even possible with ADFS?

  • 1
    Can you do this with ADFS? Not likely. You don't specify what kind of service you need to access, but by the sound of it ADFS is not a solution. – joeqwerty Jan 14 at 15:43

This is not possible without a domain trust.

ADFS allows applications to authenticate against AD (or another Identity Provider) without direct access to it; but the applications must explicitly support this authentication method.
Windows logon doesn't.
In order to log on to a Windows system, you need to either:

  • Log in using a local user account
  • Log in using a user account in the domain the system is joined to
  • Log in using a user account in a trusted domain

To add to @Massimo answer, if you could change the Windows service to use OpenID Connect with the client credentials flow(i.e. a service not a user so no explicit logon), then this would work.

The other option is for the service to use the old-school WS-Trust i.e. WCF.

Both of these are supported by ADFS.

Not the answer you're looking for? Browse other questions tagged or ask your own question.