AD Group Names from different LDAP Search Results

Sep 22, 2015 at 6:58 AM
Edited Sep 22, 2015 at 7:06 AM
Thanks a lot for the great solution. Helped a lot with resolving claims users from ADFS in our environment.

We have a main domain and sub domains in our AD like below.

domain.com
subdomain1.domain.com
sbdomain2.domain.com
sbdomain3.domain.com
sbdomain4.domain.com

We have set up ADFS as our identity provider and using LDAPCP for resolving claims users. I have added 4 additional LDAP connections in LDAPCP configuration under security tab in Central Admin to resolve users in these subdomains which is working as expected for users. I am also using LDAPCP for resolving AD groups.

Everything works great when the AD group names are different. I have a scenario where all subdomains have an AD group "Domain Users" with same name. In this case LDAPCP finds these groups but creates only 1 permission.

Below is the LDAPCP log from ULS.

09/22/2015 16:46:55.73 w3wp.exe (0x17E0) 0x851C LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://connection1 af5f309d-aa5b-3073-8707-3292611f3e63

09/22/2015 16:46:55.73 w3wp.exe (0x17E0) 0x3714 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://connection2 ab5f309d-5af8-3073-8707-314f270dc164

09/22/2015 16:46:55.77 w3wp.exe (0x17E0) 0x2D68 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://connection3 ab5f309d-2a65-3073-8707-3d1d82d9d138

09/22/2015 16:46:55.77 w3wp.exe (0x17E0) 0x0AC4 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://connection4 aa5f309d-cadc-3073-8707-3a9b075dafcb

09/22/2015 16:46:55.78 w3wp.exe (0x17E0) 0x3104 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://connection5 ab5f309d-fa60-3073-8707-3f019105f0f1

09/22/2015 16:46:55.78 w3wp.exe (0x17E0) 0x851C LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Querying of LDAP servers finished in 44ms (current timeout is 10000ms) af5f309d-aa5b-3073-8707-3292611f3e63

09/22/2015 16:46:55.78 w3wp.exe (0x17E0) 0x851C LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 5 result(s) from all LDAP server(s) with query "(| (&(objectclass=user)(userPrincipalName=domain users*)) (&(objectclass=user)(mail=domain users*)) (&(objectclass=group)(sAMAccountName=domain users*)) (&(objectclass=user)(displayName=domain users*)) (&(objectclass=user)(cn=domain users*)(!(objectClass=computer))) (&(objectclass=user)(sn=domain users*)) )" af5f309d-aa5b-3073-8707-3292611f3e63

09/22/2015 16:46:55.78 w3wp.exe (0x17E0) 0x851C LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 1 permission(s) to create after filtering af5f309d-aa5b-3073-8707-3292611f3e63

09/22/2015 16:46:55.78 w3wp.exe (0x17E0) 0x851C LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) Domain Users", value: "Domain Users", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. af5f309d-aa5b-3073-8707-3292611f3e63

09/22/2015 16:46:55.78 w3wp.exe (0x17E0) 0x851C LDAPCP Claims Picking 1337 Medium [LDAPCP] Added permission created with LDAP lookup: claim value: "Domain Users", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" to the list of results. af5f309d-aa5b-3073-8707-3292611f3e63

I would like to see results as below in people picker.

(Role) Domain Users - SubDomain1
(Role) Domain Users - SubDomain2
(Role) Domain Users - SubDomain3
(Role) Domain Users - SubDomain4

Can you please help how i can resolve this issue?
Coordinator
Sep 23, 2015 at 8:43 AM
Hello,
what you request is not possible, because groups with same name across your domains will have exactly the same claim value (groupname) in SharePoint. So LDAPCP will see them as duplicates and display only 1 in the people picker.
This is also a security concern since a member of domain1\groupname could access resources that you want to grant to member of domain2\groupname only.
To address this, in cental admin > security > LDAPCP claims mapping page, you can set special string "{domain}\" in column "Prefix to add to value returned" for the role claim type.
It will configure LDAPCP to dynamically add the corresponding domain name to the value of the role claim created (and it will also affect its display name in the people picker).
For this to work properly, you have to configure the STS to issue a role claim type in the form of "domain\groupname" instead of just "groupname".
thanks,
Yvan
Sep 23, 2015 at 11:52 PM
Thanks Yuvan, i will give this a try and let you know the results.
Sep 24, 2015 at 6:43 PM
Edited Sep 24, 2015 at 6:44 PM
I have resolved a situation similar to this by doing two things: A) Configured ADFS to send AD groups qualified by "LONG DOMAIN". B) Altering the LDAPCP source code with 2 lines to keep the domain prefix.

I should note that this was an older LDAPCP2010 version. I bet you are only missing the 'long domain' qualification instead of the 'domain qualification' in ADFS.
Sep 25, 2015 at 4:22 AM
Thanks guys for all your help. I resolved this yesterday but did not have time to post reply. I almost did exactly like franze mentioned above.
  1. I changed the claim mapping as per Yuvan's comment, "In cental admin > security > LDAPCP claims mapping page, you can set special string "{domain}\" in column "Prefix to add to value returned" for the role claim type.
  2. Changed the ADFS Relying party Claims Rule to send the LDAP attribute "Token-Groups - Qualifies by Domain" mapped to "Role" for outgoing claim type because, LDAPCP returns "{domain}\" prefixed for resolving domain names. For automating this, Claims issuance file (text file) should look like below
@RuleTemplate = "LdapClaims"
@RuleName = "Email Address, UPN and Group"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";mail,userPrincipalName,tokenGroups(domainQualifiedName);{0}", param = c.Value);

Set-ADFSRelyingPartyTrust –TargetName $realm -IssuanceTransformRulesFile $claimsRulesFilePath

Also, SharePoint Claim Viewer Web part helped a lot to watch the returned Roles from ADFS and STS augmenting the same.
Sep 25, 2015 at 6:24 PM
Yeah, qualified by 'long domain' in ADFS is important when you are issuing subdomains as part of the group name. Otherwise, if you don't choose 'long domain' then ADFS will trim the subdomain off at issuance time.
Sep 28, 2015 at 12:26 AM
Edited Sep 28, 2015 at 12:30 AM
Thanks franze for the info. When i use qualified by 'long domain' in ADFS it is sending the roles back as below.

User: ABC
Role 1: role1.subdomain1.Maindomain.com
Role 2: role2.subdomain2.Maindomain.com
Role 3: role3.subdomain3.Maindomain.com
Role 4: role4.subdomain4.Maindomain.com

But, as i prefixed '{domain}\' for role claim returned values in LDAPCP, it gives me roles for a user as 'Subdomain1\role1','Subdomian2\role2',etc. Since both formats don't match, i get a access denied and 'Sorry, this site has not been shared with you.' error. That is the reason i used qualified by 'Domain Name' as the outgoing claim in ADFS and this is working for me. Hope it makes sense.
Coordinator
Oct 9, 2015 at 11:04 AM
Hello,
I'm currently working on this feature and it will be available in next version, so stay tuned :)
I hope to release it this month or next one.
thanks,
Yvan