Hi All, We are working on an ADFS 2.0 implementation where we have several internal users that can login to different Active Directory domains (example: domain A and B). They all access the same portal from where they can access an application in the cloud. The ADFS 2.0 server is a member of the Active Directory domain A. The following authentication handlers are configured in the web.config of ADFS: IntegratedForms Now we have the following scenario's: Scenario 1: 1.The user is on the internal network and is authenticated through Active Directory domain A. 2.The user clicks in the browser the link to the external web application. 3.The application redirects the user to the internal ADFS server (idp) 4.The user has a SSO experience to the ADFS server with his kerberos ticket. 5.The user gets a token from ADFS and is granted permission to the external web application. Scenario 2: 1.The user is on the internal network and is authenticated through Active Directory domain B. 2.The user clicks in the browser the link to the external web application. 3.The application redirects the user to the internal ADFS server (idp) 4.The user has NO SSO experience to the ADFS server, because his kerberos ticket is not valid for the domain that ADFS is a member of. The scenario that we want: Scenario 3: 1.The user is on the internal network and is authenticated through Active Directory domain A. 2.The user clicks in the browser the link to the external web application. 3.The application redirects the user to the internal ADFS server (idp) 4.The user has NO SSO experience to the ADFS server, because his kerberos ticket is not valid for the domain that ADFS is a member of. 5.The user can authenticate through form based authentication with his Active Directory username and password. 6.The user gets a token from ADFS and is granted permission to the external web application. Is it possible to configure an authentication fallback so we get scenario 3 where if the kerberos ticket is not valid the user is presented with a form where he is authenticated through form based login? Regards, Maikel van Westeneng