This project has moved. For the latest updates, please go here.

Unexpected error in log, need some help

Sep 19, 2012 at 9:36 AM
Edited Sep 19, 2012 at 11:40 AM

Hello, i've installed the wsp and configure the ldapcp to connect on an AD.

We're using PING federate to provide the token. Ping federate is configured to provide the UPN from a SharePoint A Farm to a SharePoint B Farm. The Sharepoint B Farm is the target environment for a SharePoint A Farm User.

But when i open the people picker, an error is writen in the log :

 

[LDAPClaimProvider] Impossible to continue because identity claim "https://schemas.xmlsoap.org....2005/05/identity/claims/upn" is missing in the list of attributes to query. Please use method PopulateAttributesDefinition() to add it.

 

any ideas ?

Did i miss something with powershell or is it from ldapcp ?

 

For info when i run in sp powershell : 

$trust = Get-SPTrustedIdentityTokenIssuer "PING STS"

$trust.ClaimTypeInformation

I get : 

InputClaimType : http://schema..../identity/claims/nameidentifier

MappedClaimType : http://schema.../identity/claims/upn

 

This was configured by : 

New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "Ping UPN Claim" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

 

I think inputClaimType should be : ...upn too instead of nameidentifier ?

 

If yes , how do i change it ?

 

Thank you by advance,

 

Jeff

Coordinator
Sep 19, 2012 at 12:13 PM

hello,

indeed the incoming claim type for the UPN must be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn (as documented in the home page of the project).
You can use a custom claim type for the UPN, but you have to inherit the claim provider (using LDAPCP for Developers package) to customize the list of attributes.

You can remove the claim type using  Remove-SPClaimMapping (http://technet.microsoft.com/en-us/library/ff607882.aspx) and add it using Add-SPClaimTypeMapping (http://technet.microsoft.com/en-us/library/ff607816.aspx), but I never tested this. The cmdlet would look like following:
Get-SPTrustedIdentityProvider –Name "LiveIDSTS"| Add-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

Another way is to delete and recreate the trust, which can be faster if trust creation has been saved in a PowerShell script.

cheers,
Yvan

 

Sep 19, 2012 at 12:46 PM
Edited Sep 19, 2012 at 2:19 PM

Thank you for your fast answer,

I think i'll have to add the attribute in the ldapcp projet because the other option might not work since in Ping Federate you canno't change Name Identifier by "UPN". When you configure ping federate it asks you to fill the Name identifier and for my case we set the UPN :

Name Identifier = UPN.

What do you think ? Don't know if i'm clear since i'm not an expert of claims ^^

 

UPDATE : 

I have modified the package .Wsp and added those line : 

 new AttributeHelper{LDAPAttributeName="userPrincipalName", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.NameIdentifier, claimEntityType = SPClaimEntityTypes.User},

But it still doesn't work

 

Thanks you again for your time,

 

Jeff ANGAMA

Sep 19, 2012 at 4:24 PM

Impossible to delete the trust, it says that it is already in use. I desactivate it on every web app though before running the powershell command...

Coordinator
Sep 20, 2012 at 7:52 AM

hello,
I've never seen this. I've been doing this very often, in many different farms, and I was always able to delete the trust once I made sure it is not used in any web application.
You should double check again each web application / zone to confirm that trust is not used.

Sep 20, 2012 at 9:14 AM
Edited Sep 20, 2012 at 11:14 AM

But adding :

AttributeHelper{LDAPAttributeName="userPrincipalName", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.NameIdentifier, claimEntityType = SPClaimEntityTypes.User},

should be enough no ? without redifining the mapping ?

 

Concerning the trust :

I success to delete the trust, in fact the problem was that i didn't desactivate the trust on one of the web app

Coordinator
Sep 20, 2012 at 12:08 PM

Just make sure that nsmsclaims.ClaimTypes.NameIdentifier matches the namespace of the UPN claim type that you are using.
Then you also need to add the other claim types that you are using, otherwhise the claim provider will only use this claim type.

Sep 20, 2012 at 2:54 PM
Edited Sep 20, 2012 at 3:32 PM

What i've done : 

recreate the trust only on UPN using : 

New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Ping UPN Claim" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

 

Now i can see the user from the other ldap in the people picker but when i try to authenticate to the Sharepoint FARM B i get error with correlation ID and in logs i get this error :

 

_login/default.aspx?errorCode=TRustedMissingIdendityClaimSource= Authenticate aspx source SPRequest error occured more information: 0x80070005

 and

The file '/_layouts/_login/default.aspx' does not exist at system.web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath))

When i modify the webconfig to debug, i get this error : 

Operation is not valid due to the current state of the object

 Stack trace :

Spwebensurespcontrol

spfederationauthenticationmodule

 


I've seen on internet that it is when the email isn't filled, but me i'm using the upn, that must be filled because the upn is read from the login Name ? Also i checkthed the upn value, they are equal (testtoto@domain.com)

 

Thx you,


Nov 2, 2012 at 8:02 PM
Edited Nov 2, 2012 at 8:04 PM

Sorry to hijack this thread, but I have a customer that is using the Developer Sample and deploying it into their environment. They are seeing the same exact problem as the original poster above. They are using Ping as well and passing trying to pass http://schemas.xmlsoap.org/claims/commonname as the identifier claim.

In the SPTrustedIdentityTokenIssuer they have the following for this claim as the identifier claim

DisplayName                   : CommonName
InputClaimType               : http://schemas.xmlsoap.org/claims/CommonName
MappedClaimType           : http://schemas.xmlsoap.org/claims/CommonName
IsIdentityClaim                : True

We have tried to modify the PopulateAttributesDefinition() in CustomDisplayForPermsOnIdentityClaim.cs file to add the schema for CommonName, but we are still getting the

"[LDAPClaimProvider] Impossible to continue because identity claim https://schemas.xmlsoap.org/claims/CommonName is missing in the list of attributes to query. Please use method PopulateAttributesDefinition() to add it."

 
So my question is; What am I doing wrong by adding this new LDAP attribute? Is there anything else I am missing, for the code it looks like this is all that needs to be added.
Any assistance would be appreciated.

Thanks,
Ryan

Code Block modified (added CommonName for LDAPAttributeName)

protected override void PopulateAttributesDefinition()
        {
            AttributesDefinitionList = new List<AttributeHelper>
            {
                new AttributeHelper{LDAPAttributeName="mail", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.Email, claimEntityType = SPClaimEntityTypes.User, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.Email},
                new AttributeHelper{LDAPAttributeName="CommonName", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.Prip.CommonName, claimEntityType = SPClaimEntityTypes.User, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.AccountName},
                new AttributeHelper{LDAPAttributeName="sAMAccountName", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.WindowsAccountName, claimEntityType = SPClaimEntityTypes.User},
                new AttributeHelper{LDAPAttributeName="userPrincipalName", LDAPObjectClass="user", claimType=nsmsclaims.ClaimTypes.Upn, claimEntityType = SPClaimEntityTypes.User},
                new AttributeHelper{LDAPAttributeName="displayName", LDAPObjectClass="user", ResolveAsIdentityClaim=true, peopleEditorEntityDataKey=PeopleEditorEntityDataKeys.DisplayName},
                new AttributeHelper{LDAPAttributeName="cn", LDAPObjectClass="user", ResolveAsIdentityClaim=true},
            };

            // Identity claim type may use an attribute where its value doesn't mean anything to users (for example a corporate ID)
            // In that case, set this property to use another LDAP attrbute to display the permission
            // So that user permissions list is more readable
            base.DisplayMeInsteadOfIdentityValueInEntityDisplayText = AttributesDefinitionList.Where(x => x.LDAPAttributeName == "displayName").FirstOrDefault();
        }
Coordinator
Nov 3, 2012 at 10:17 AM

hello,

your code is correct, but you associated the trust with base class "LDAPClaimProvider" instead of your custom inherited class.

To get your code working, just run the following powershell commands to register your custom claim provider:

$trust = Get-SPTrustedIdentityTokenIssuer "TRUSTEDLOGINPROVIDER NAME"
$trust.ClaimProviderName = "YOUR CUSTOM ProviderInternalName FIELD VALUE"
$trust.Update()