Re: ADFS and ADAM
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Jan 2007 11:54:33 -0600
Glad you got it working before I even saw the post. :)
I generally put the "authenticated users" built-in group SID in the readers
role in ADAM, and this makes all of these problems go away. Iti is much
easier to deal with than adding each user to the group as you provision them
and scales more easily as well if you ever end up with thousands or millions
of users in ADAM (which is possible and has been done!).
Do do that, add this distinguished name to the member attribute (I use
LDP.exe for this):
<SID=S-1-5-11>
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dima" <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:525C8C2D-72FB-40A0-A32A-0EE8FEBF80F1@xxxxxxxxxxxxxxxx
Ah, yes. I was right. ADFS binds to ADAM using the simple bind method
(username/password), and username and password it is trying to
authenticate.
Then it performs the search for the object with <username
attribute>=<username> and then it extracts claims from that object if it
finds it.
My problem was that user jdoe didn't have readers role on the root node. I
could see that from ldp.exe when binding with user jdoe. When I added it
to
Readers role it started working.
"Dima" wrote:
Of course. User object has all the correct attribute values. In fact,
when I
create a query in ADSI Edit with same search base DN and filter it
returns
the user object correctly. I suspect the problem is with credentials
which
ADFS uses to log on to ADAM, but I am not sure. When I use WAB to search
ADAM
I have to log on with my credentials and set the encryption. So, maybe
ADFS
doesn't support that. Maybe I need to configure ADAM somehow to allow
ADFS to
search it.
I would expect to get some other error other than the one I'm getting in
case there's a permission problem, but you never know...
"Joe Kaplan" wrote:
Does the user object in question have a userPrincipalName attribute
with
value of "jdoe"? If not, then that is the problem, as that is what
ADAM is
trying to use to find the user.
You can use ADSI Edit or ldp.exe to find out and change this if
necessary.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Dima" <Dima@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F028F99A-51E5-459D-8606-4A590A8F18DA@xxxxxxxxxxxxxxxx
I am trying to make ADFS authenticate users against an ADAM account
store,
but I keep getting the object not found error from the LDAP search.
Here's an extract from the log:
2007-01-17T22:43:14 [INFO] Client is unauthenticated. Attempting to
collect
credentials.
2007-01-17T22:43:14 [INFO] Requesting token for urn:federation:myhost
with
username jdoe.
2007-01-17T22:43:14 [INFO] InternalRST: target =
urn:federation:myhost,
credtype = urn:oasis:names:tc:SAML:1.0:am:password, userhint = jdoe,
store
=
2007-01-17T22:43:14 [INFO] GetClaimsForUserNameWorker (LDAP): called
for
user jdoe
2007-01-17T22:43:14 [VERBOSE] GetClaimsForUserNameWorker: Searching
with
the
following params:
ldapSearchPath =
LDAP://myhost2:389/OU=Public,O=MYCOMPANY,C=CA,DC=Public
filter = (userPrincipalName=jdoe)
2007-01-17T22:43:14 [ERROR] GetClaimsForUserNameWorker: No object for
user
'jdoe/jdoe' and filter '(userPrincipalName=jdoe)', LDAPServer:
'myhost2'
2007-01-17T22:43:14 [INFO]
AccountStoreCollection.InternalGetClaimsForUser:
User jdoe logon handled non-authoritatively with
LdapUserObjectNotFound by
selected store
ldap://myhost2:389/OU=Public,O=MYCOMPANY,C=CA,DC=Public/
2007-01-17T22:43:14 [VERBOSE] Processing FS response: policy version
is
e8606814-47e1-48bf-8d6e-d8468ae7c19b - 37
2007-01-17T22:43:14 [VERBOSE] Creds verification:
AccountStoreDisplayName = StorePublic
2007-01-17T22:43:14 [VERBOSE]
AccountStoreType =
LdapDirectoryType
2007-01-17T22:43:14 [VERBOSE]
AccountStoreTypeDisplay = AD/AM Directory
2007-01-17T22:43:14 [VERBOSE]
AccountStoreUriStr =
ldap://myhost2/OU=Public,O=MYCOMPANY,C=CA,DC=Public/
2007-01-17T22:43:14 [VERBOSE] User Validation Info: ErrorCode = 0
2007-01-17T22:43:14 [VERBOSE] Additional Info:
myhost2.mycompany.com
2007-01-17T22:43:14 [INFO] Token issuance request to FS failed:
ValidationFailure
When I use the Windows Address Book, I am able to connect to ADAM and
look
up user jdoe. Anyone have any idea what could be wrong?
.
- References:
- Re: ADFS and ADAM
- From: Joe Kaplan
- Re: ADFS and ADAM
- From: Dima
- Re: ADFS and ADAM
- From: Dima
- Re: ADFS and ADAM
- Prev by Date: Re: Using ldapsearch to find things in the active directory
- Next by Date: Re: ADAM Bind-Help required
- Previous by thread: Re: ADFS and ADAM
- Next by thread: Re: Domain date reset to yesterday date when user start logon.
- Index(es):
Relevant Pages
|
