When using AD FS 2.0, it may be beneficial to use shadow accounts in some situations.  One reason may be that the service accesses back-end resources that require a Windows token.  The Claim to Windows Token Service (c2WTS).  This article is intended to focus on the AD FS 2.0 perspective of this solution and will not cover configuring c2WTS, or provisioning the shadow accounts.  The c2WTS requires the user's UPN in order to fetch and build a windows token.

Associating Shadow Accounts

In order for this to work, there must be some piece of information that associates the user's account with the shadow account in the remote forest.  Typically the UPN will not match, so we will need to associate the account in some other way.  The example in this wiki assumes the email address field will match between the user's account and the user's shadow account.


The following custom claim rule will pull an incoming email address claim, find the shadow user in Active Directory with that email address, and issue the appropriate UPN claim that can later be used with the c2WTS.

c:[Type == ""]
 => issue(store = "Active Directory", types = (""), query = "mail={0};userPrincipalName;adatum\adfssvc", param = c.Value);

Change "adatum\adfssvc" to match the service account that is running AD FS 2.0.

Links to Additional Content

There are good articles that supplement the data in this article.

Understanding Claim Rule Language in AD FS 2.0

Claims to Windows Token Service (c2WTS)