This project has moved. For the latest updates, please go here.

Role Claim Not Added in SharePoint Permission

Mar 3, 2015 at 8:23 PM
Hi Everyone,

I'm having an issue with LDAPCP and SharePoint 2013 that hopefully someone has run into and solved.

We have role claims returning from our trusted identity provider that contains the CN of the AD Groups they belong to. I've configured LDAPCP in Central Admin to query the 'cn' attribute for the object class 'group' and the claim type entity 'FormsRole'

In the people picker I see the AD Groups as (Role) ADGroupName. When I pick that role and close the people picker I get an error:

Sorry, something went wrong
The user does not exist or is not unique.

In the ULS i see the following course of events:

03/03/2015 15:08:45.85 w3wp.exe (0x33B0) 0x44D0 LDAPCP LDAPCP 1337 Verbose [LDAPCP] LdapcpConfig PersistedObject found, version: 2297909, previous version: 2297909 e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.85 w3wp.exe (0x33B0) 0x44D0 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect to AD this server is member of, with application pool credentials e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://FOO.ORG/DC=FOO,DC=ORG e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 1 result(s) from all LDAP server(s) with query "(| (&(objectclass=group)(cn=ad group name)) )" e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 1 permission(s) to create after filtering e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) AD GROUP NAME“, value: “AD GROUP NAME”, claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 LDAPCP Claims Picking 1337 Medium [LDAPCP] Validated permission with LDAP lookup. Claim value: “AD GROUP NAME”, Claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 SharePoint Foundation Authentication Authorization ame4s Verbose GetUserInfoFromMembershipProvider: Returned from ResolvePrincipal without exception. WebApp: ‘aff2819a-b9e6-4a96-86a6-8ef1c4e07534', LoginName: 'c:0-.t|tipname|ad group name’, bIsRole: 'True'. e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 SharePoint Foundation Authentication Authorization ame4u Medium GetUserInfoFromMembershipProvider: ResolvePrincipal did NOT find a match. WebApp: ‘aff2819a-b9e6-4a96-86a6-8ef1c4e07534', LoginName: 'c:0-.t|tipname|ad group name’, bIsRole: 'True'. e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 SharePoint Foundation Authentication Authorization ame4w Unexpected GetUserInfoFromMembershipProvider: Request is in a web context and we can't find the user so we are failing. WebApp: ‘aff2819a-b9e6-4a96-86a6-8ef1c4e07534', LoginName: 'c:0-.t|tipname|ad group name’, bIsRole: 'True'. e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 SharePoint Foundation Authentication Authorization ame4y Medium GetUserInfoFromMembershipProvider: Returning result. WebApp: ‘aff2819a-b9e6-4a96-86a6-8ef1c4e07534', LoginName: 'c:0-.t|tipname|ad group name’, bIsRole: 'True', UserFound: 'False', UserKey: ''. e136ef9c-19ad-60c6-1679-9cc804d3da3f
03/03/2015 15:08:45.86 w3wp.exe (0x33B0) 0x44D0 SharePoint Foundation General 8kh7 High The user does not exist or is not unique. e136ef9c-19ad

It appears that LDAPCP is validating the ad group name and passing it to SharePoint, which then in turn says it can't find the user. I would think SharePoint would see that its valid from the claims provider and just add the permission properly.

This will actually succeed if the ad group name already exists in the user hidden list for the site collection.

Any input, guidance or words of wisdom would be greatly appreciated.

Thanks!
Coordinator
Mar 13, 2015 at 3:34 PM
Hello,
I checked the code and your scenario is interesting:
SharePoint explicitely requests that identity resolved by claims provider has entityType SecurityGroup (from enum type SPPrincipalType - https://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.utilities.spprincipaltype(v=office.15).aspx )
But by default LDAPCP uses FormsRole (from enum type SPClaimEntityTypes - https://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.administration.claims.spclaimentitytypes_members.aspx ) for the groups, and I bet this is what you are using for your group too.
So you should be able to fix your problem easily if you change to SecurityGroup (column is "claim entity type" in claims table page).
If you do this, can you please confirm if it works, and also let me know if you find any side effect with existing permissions?
On my side I'll evaluate if I should change type of groups to be SecurityGroup by default, but also if I should use SPPrincipalType enumeration instead of SPClaimEntityTypes, for now it's quite unclear.
Cheers,
Yvan