AD security group\Exchange distribution list email property is missed

Mar 31, 2016 at 6:36 AM
Edited Mar 31, 2016 at 8:11 AM
Hello Yvan,

Currently i'm unable to extract email address associated with AD security group (and Exchange distribution list).
In fact, when looking through PowerShell, i see
Get-ADGroup "Project EPM-RIM" -Properties *
LastKnownParent                       :
mail                                  : ProjectEPM-RIM@XXX.com
mailNickname                          : ProjectEPM-RIM
The same i see when looking for a user:
 Get-ADUser "Sergey_Solovyev"  -Properties *
GivenName         : Sergey
mail              : Sergey_Solovyev@XXX.com
Name              : Sergey Solovyev
ObjectClass       : user
SamAccountName    : Sergey_Solovyev
Surname           : Solovyev
UserPrincipalName : Sergey_Solovyev@XXX.com
But when checking at SharePoint server, email is present for user, but not for group:
$spti = Get-SPTrustedIdentityTokenIssuer
$claim9 = New-SPClaimsPrincipal -ClaimValue "Sergey_Solovyev@xxxx.com" -ClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn -TrustedIdentityTokenIssuer $spti
$user9 = $web.EnsureUser($claim9.ToEncodedString())
$user9 | Format-List -Property *
UserLogin                        : i:0e.t|staging adfs|sergey_solovyev@XXX.com
DisplayName                      : Sergey Solovyev
Name                             : Sergey Solovyev
Email                            : Sergey_Solovyev@XXX.com
$spti = Get-SPTrustedIdentityTokenIssuer
$claim10 = New-SPClaimsPrincipal -ClaimValue "Project EPM-GOPS" -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/role -TrustedIdentityTokenIssuer $spti
$user10 = $web.EnsureUser($claim10.ToEncodedString())
$user10 | Format-List -Property *
UserLogin                        : c:0-.t|staging adfs|project epm-gops
DisplayName                      : (Role) Project EPM-GOPS
Name                             : (Role) Project EPM-GOPS
Email                            : 
Please note that there is no possibility to create duplicate claim in LDAPCP configuration table.

Any suggestions on what i'm doing wrong?
Is there another way for mapping group email?

Thanks,
Sergey

PS I've attached screenshot to be more precise.
Image
Coordinator
Apr 1, 2016 at 3:24 PM
Edited Apr 1, 2016 at 3:25 PM
Hello,
actually this is possible but there is a bug in the claims mapping page that prevents you from adding the entry needed to handle this.
You can fix it manually by editing ClaimsTable.aspx with notepad (located in 15\TEMPLATE\ADMIN\ldapcp\ClaimsTable.aspx):
edit line 307 to replace this:
$('#rowClaimEntityType').hide('slow')
by this:
$('#rowClaimEntityType').show('slow')

Then refresh the page in the browser and add a new entry to the table with following options:
  • select "Add a LDAP attribute to use only as a metadata of the new permission."
  • Type of permission metadata: Email
  • LDAP Attribute: mail
  • LDAP Object class: group
  • Claim entity type: FormsRole
Now, when you add a new group it should populate its email property. You can also monitor ULS logs with following message:
04/01/2016 17:15:57.57 w3wp.exe (0x1F64) 0x2AD8 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Added metadata "Email" with value "group1@yvanhost.local" to permission 1f496e9d-2d82-20c6-840b-81ac9483b4f6
04/01/2016 17:15:57.57 w3wp.exe (0x1F64) 0x2AD8 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) YvanHost.local\group1", value: "YvanHost.local\group1", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 2 metadata. 1f496e9d-2d82-20c6-840b-81ac9483b4f6

thanks,
Yvan
Apr 4, 2016 at 5:46 AM
Edited Apr 4, 2016 at 5:55 AM
Hello Yvan,

Unfortunately this doesn't help.
The only ULS entry i see when adding group using People picker is:

04/04/2016 08:18:41.22 w3wp.exe (0x3F18) 0x3904 LDAPCP Claims Picking 1337 Medium [LDAPCP] Added permission created with LDAP lookup: claim value: "Project EPM-ACCL", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" to the list of results. 241e6f9d-d401-5080-80b3-bc094f3648d5

Here is how group is displayed:
Image

And here is how user:
Image

Also that's how group selection is displayed in People picker (duplicates are due to 2 authentication providers for web application default zone - AD + Trusted (ADFS)):
Image

And that's how user selection:
Image

Here is claims table - could you please check if something is wrong?
Image

Thanks,
Sergey
Coordinator
Apr 4, 2016 at 12:53 PM
Hello Sergey,
can you delete and recreate the entry, and choose "SecurityGroup" instead of "FormRole" for the Claim entity type?
thanks,
Yvan
Apr 4, 2016 at 2:46 PM
Hello Yvan,
Empirically i've found that SecurityGroup entry works fine.
Image

Here is how group is now displayed:
Image

But i'm still unable to get it from code (either PowerShell or C# -"Email" property is empty for group.

Maybe i should deal with additional entries to claims mapping table?

Thanks,
Sergey
Coordinator
Apr 4, 2016 at 3:22 PM
I'm not sure to understand what you mean with the code.
Do you have a sample code that works for users and not for groups?
Apr 4, 2016 at 5:10 PM
Edited Apr 4, 2016 at 5:12 PM
Sure,
Please find an example below:
$logonName = "WFA FP&A"
$user = [AMPortal.Data.SPLists.Repositories.Base.WebExtension]::TryEnsureUser($web, $logonName)
Write-Host $user.LoginName $user.Name $user.Email
c:0 + .w|s-1-5-21-1292428093-113007714-1060284298-40795 WFA FP&A WFAFP&A@xxxx.com
$logonName = "WFA FP&A"
$user = [AMPortal.Data.SPLists.Repositories.Base.WebExtension]::TryEnsureUser($web, $logonName)
Write-Host $user.LoginName $user.Name $user.Email
c:0-.t|staging adfs|wfa fp&a (Role) WFA FP&A
PS TryEnsureUser is our implementation of SPWeb.EnsureUser()

Thanks,
Sergey
Coordinator
Apr 7, 2016 at 8:35 AM
Hello,
can you check SharePoint logs to validate if it calls LDAPCP?
Since it doesn't actually define a permission, I'm not sure if that should populate metadata, does the same code work for users?
thanks,
Yvan
Oct 3, 2016 at 12:04 PM
Hello Yvan,
Sorry for the late asnwer.

That was my mistake with configuration mapping in LDAPCP properties.

Hopfully, all is now working correctly.

Thanks,
S