Urgent: Resolve Users and Security Groups from foreign Domain Controllers (Cross Doamin)

Dec 27, 2013 at 1:16 PM
Hi,

My SharePoint site is accessible from 4 Organizations through ADFS with 4 Different Domain Controllers. My SharePoint Farm is tied to one of them.

I'm able to authenticate users from foreign domain controllers.

I got this custom claim provider working -can resolve- Users and Active Directory Groups from the Domain Controller that the SharePoint Farm is joined to.

How can I get it working (can resolve Users and Security Groups) from the foreign Domain Controllers (other organizations)?

Should there be a Trust Relationship between those Domains? but I went with the ADFS solution to avoid the Trust between domains!!

What is the best practice in this area?

Appreciate your help in advance.

Thanks,
Hamza
Coordinator
Dec 27, 2013 at 2:23 PM
Hello Hamza,
it's quite easy to do: you can very little code to specify multiple LDAP connections to each of your foreign ADs.
To see how to do that, download the package for developers and check the method "SetLDAPConnections" in "LDAPCP_Custom.cs"
cheers,
Yvan
Dec 27, 2013 at 2:42 PM
Thanks Yvan for the prompt answer,

Actually I don't have access to the foreign ADs or to their LDAPs, also I don't have a trust relationship with their Domains.
I just have the ADFS as Trusted Claim Provider with those organizations.

How can I achieve this? should I have a Trust Relationship with those Domains? How can I make their LDAPs accessible from my side?

Thanks,
Hamza
Coordinator
Dec 27, 2013 at 2:49 PM
Edited Dec 27, 2013 at 2:50 PM
Hello Hamza,
If you don't have an LDAP access from SharePoint to the external ADs (note that an AD trust is not required for that, just LDAP ports to be opened), then you have the possibility to associate a keyword with a claim type, that you type to resolve the permission without doing a lookup.
For example, you type "EXTUSER:externaluser" in the people picker, and LDAPCP will resolve "externaluser" with the associated claim type.
To see how to implement this, have a look to "LDAPCP_CustomLookup.cs" sample, this scenario is covered with multiple examples.
Let me know if this covers your needs.
cheers,
Yvan
Dec 27, 2013 at 3:52 PM
Thanks Yvan, I will start coordination with Infrastructure team to achieve Ports opening and so on so I got External ADs recognizable from my side, and I will make needed modification on the source code.

However, I'm getting another issue -if you help to get it solved- that SharePoint is seeing all users who are authenticated through ADFS as External Users (even users who are coming from my Internal Domain).

So I'm not able to assign them Workflow Tasks, they are not able to see List Forms, Views, Ribbon....etc. Even if I assign a task to one of them, the task name has a suffix "External participant", and the Task got assigned to the Person who initiated the workflow.

However, end user is able to receive an email to complete this task on behalf of the ADFS User (as the Windows User and the ADFS User have same account name).

Do you have any thoughts on this issue?

Thanks,
Hamza
Coordinator
Dec 27, 2013 at 4:28 PM
Hello Hamza,
You should not change anything on LDAPCP source code, you should download the developers package that contains sample classes that inherit LDAPCP, and build you own inherited class based on those samples.
Then I'm not sure to understand what you mean with "SharePoint is seeing all users who are authenticated through ADFS as External Users", but I think you are doing a confusion: a SAML user is always different from an AD user, even if that SAML user authenticated in same AD as SharePoint (it has just no way to verify this).
So every permission must be created on a SAML claim (user/group/... claim type), not AD user or AD group, that is completely separate.
cheers,
Yvan
Dec 27, 2013 at 4:49 PM
Actually this is what's happening,,

If I go and try to assign permissions to an ADFS user, I'm writing his email address, and people picker is able to resolve it, so I'm able to do that.

Then when I login with that ADFS user which I have assigned permission to, I can recognize that he has that permissions, for example I added one ADFS user as Site Collection Admin.

However, SharePoint is still seeing this user who is authenticated through ADFS as External User (even users who are coming from my Internal Domain).

So I'm not able to assign him a Workflow Task, not able to see List Forms, List Views, Ribbon....etc. Even if I assign him a task , the task name has a suffix "External participant", and the Task got assigned to the Person who initiated the workflow!!
Coordinator
Jan 3 at 3:35 PM
Hello,
what exactly do you mean with "External User" ?
Any user that authenticates in ADFS (SAML) is by essence a non-Windows user (if that is what you mean with "external user"). But still, SAML users can definitely be assigned Workflow tasks, and actually I never saw the suffix "External participant" in a task name so I don't know what it means...
cheers,
Yvan