Passing claims from Domain Controller (in Kerberos tickets) to Active Directory Federation Server -

i'm hoping can me out has been puzzling me quite time now. have domain controller set kerberos armoring enabled include claims in issued kerberos tickets. have dynamic access control configured define claim types include in kerberos tickets. kerberos tickets appear contain defined claim types when tested using simple powershell script using system.security.principal.windowsidentity query claims included in current user's identity, presume obtained existing issued kerberos ticket.

i configured active directory federation services integrated active directory dc claims provider trust, , setup saml test web application server service provider / relying party. setup works if use "send ldap attribute claims" in relying party trust query ad , obtain claims.

however, wanted claims included in kerberos tickets , include them in saml token issued ad fs user performs sso through windows integrated login. tried possible "pass through" rules in both claims provider trust , relying party trust extract these claims kerberos tickets , include them in generated saml tokens in ad fs, none seem work. created custom rule pass through claims none seem work. appears kerberos tickets don't contain associated claims defined in dynamic access control since able pass through default claims in kerberos upn, groups sid, name, etc. if it's custom claims defined in dynamic access control included in kerberos ticket, seem nonexistent. can me diagnose further?

fyi, test web app used simplesamlphp , use displays claims/attributes receives saml token issued ad fs.

here ps script used test , see kerberos ticket of current user contains claim types defined in dynamic access control:

$currentuser = [system.security.principal.windowsidentity]::getcurrent()  $username = $currentuser.name write-output "user: $username`n" write-output "---- claims ----`n" $claims = $currentuser.claims  foreach ($claim in $claims) {     # claim type     if ($claim.type -match "http://") {         $claimtype = ($claim.type).split('/')[($claim.type).split('/').count -1]     }     elseif ($claim.type -match "ad://") {         $claimtypename = ($claim.type).split(':')[($claim.type).split(':').count -2]         $claimtype = $claimtypename.split('/')[$claimtypename.split('/').count -1]     }     # transform     if ($claimtype -eq "groupsid") {         $claimtype = "group"     }      # claim value     $claimvalue = $claim.value     if ($claimvalue -match "s-" -and $claimtype -eq "group") {         try {             $sidvalue = new-object system.security.principal.securityidentifier($claimvalue)             $accountname = $sidvalue.translate([system.security.principal.ntaccount])             $claimvalue = $accountname         }         catch {             write-verbose "warning: unable group name attribute of sid $sidvalue"             $claimtype = "groupsid"         }     }     write-output "$claimtype`: $claimvalue"  } 

if can provide other information diagnose issue, please let me know.

thank in advance.