ADFS Claims Authentication, Configuring UPA and People Picker
Hi,
I am just trying to get my head around setting up ADFS to authenticate users along with allowing UPA (My Sites) and People Picker to work.
So, my environment is a WFE and an SQL Server offsite and my AD and ADFS 2.0 server onsite. We have configured SharePoint as below and applied the Claims Provider to my Intranet web app and My Sites web app and I can login in with my
account as [email protected] (UPN)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\ADFS_SelfSigned.cer")
New-SPTrustedRootAuthority -Name "ADFS Self Signed” -Certificate $cert
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Account ID" –SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$realm = “https://intranet.domain.com.au/_trust/”
$signinurl = “https://adfs01.domain.com.au/adfs/ls/”
$ap = New-SPTrustedIdentityTokenIssuer –Name "SAML Provider" -Description "My Custom Identity Provider" –Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 –SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
$uri = new-object System.Uri("https://adfs01.domain.com.au/adfs/ls/")
$ap.ProviderRealms.Add($uri, " https://mysites.domain.com.au/_trust/")
$ap.Update()
iisreset
When trying to configure a new synchronisation connection> Activery Directory Import under the User Profile Service Application, I get an error saying it can't connect to the Domain Controller which would make sense as they are not on the
same domain.
I believe that MS have a sync utility that works with Office365/MS Cloud - is there a similar solution available for my configuration?
AD import still uses LDAP/ADSI... ADFS cannot be used DIRECTLY as a sync source, since it is NOT a QUERYABLE technology. It is an AUTHENTICATION technology. UPS syncs to a QUERYABLE data source like LDAP/ADSI, and maps one of the properties to the ADFS login
(most people choose email or UPN, though I tend to recommend SID for various reasons).
Also, since people picker displays a SEARCH window, and since ADFS is not a QUERYABLE technology, the people picker (by default) ASSUMES that whatever you type in will be VALID. You can SEARCH the UPS, but if you type an email address or something of that
nature, it is NOT going to SEARCH your directory! To address this, you need to install a custom Identity Provider... one is available on CodePlex, which performs an LDAP search against the domain controller... if that's not an option, you need a custom coded
solution.
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs
Similar Messages
-
Issue with Anonymous Authentication and People Picker and reports
Hello,
We are having an issue with sharepoint 2013 where we have reports that get published to sharepoint via visual studio and we use the people picker for different list.
The overall issue is SSRS does not work if Anonymous Authentication is enabled which caused this error when trying to publish a report:
The permissions granted to user 'NT AUTHORITY\ANONYMOUS LOGON' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException:
The permissions granted to user 'NT AUTHORITY\ANONYMOUS LOGON' are insufficient for performing this operation
However, if we disable Anonymous Authentication, the people picker search option does not work and we get there error:
Sorry, we're having trouble reaching the server.
I found this web blog on a solution, https://blog.karstein-consulting.com/2014/02/18/sharepoint-2013-people-picker-error-sorry-were-having-trouble-reaching-the-server/
however this did not work.
Does anyone have ant other suggestions?Hi JCrescenzo,
Please try to get the property of the people picker, perhaps there is a rule that implemented on your environment:
stsadm -o getproperty -propertyname peoplepicker-searchadcustomfilter -url
http://site_collection_url
If yes, clear it by running:
stsadm -o setproperty -propertyname peoplepicker-searchadcustomfilter -propertyvalue " " -url
http://site_collection
There are two similar posts, please check if they are useful for you:
https://social.technet.microsoft.com/Forums/en-US/621d439b-f2eb-4dc2-8797-eb7f2f3996e4/people-picker-returning-search-filter-is-invalid-in-uls-log-when-searching-for-users?forum=sharepointgeneralprevious
https://gavinmckay.wordpress.com/2011/07/15/troubleshooting-sharepoint-2010-claims-based-authentication-with-active-directory-lightweight-directory-services-ad-lds/
Best Regards,
Wendy
Wendy Li
TechNet Community Support -
WSS 3.0 and people picker "No exact match was found"
We have installed WSS 3.0 in a farm environment with several Web Applications and Top Level Site Collection. After running the stsadm.exe -o setproperty -pn "peoplepicker-searchadforests" …. command we get error message "No exact match was found" when using WSS 3.0 Central Administration to create Site Collections Administrators by writing <ad name>\<uid>. Using the Address Book gives the error message "There was an error in the callback" . Creating users from IE works. Somebody who knows how to solve our problem.
Hello,
Cause of your issue is that you are using PeoplePicker to add users across domains. If you want to get the people picker working, you need to configure following commands on SharePoint server:
A. stsadm.exe -o setapppassword -password <somekey> - this command is use as encrypt\decrypt key
B. stsadm.exe –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp> - this command is use to set the property for a specific web application.
After running both commands above, run IISRESET to see if it will work.
If the problems still exist, please feel free to let me know.
Regards,
Jerry
Xing-Bing Yu -
Created By field and Modified By field and People Picker field values are hidden to other Users
Hi,
We have a strange permission issue in one of the MOSS-2007 server farm. The users are not able to see each other name in "created by" and "modified by" column value in lists and libraries. For example if "User A" create an item in a list then if "User B" opens that item then he cannot see "created by" and "modified by" column value and vice-versa. But they can see their name in "created by" and "modified by" column but not others. Both the users has contribute access to that list, so both can edit each other data but cannot see each other name.
This become a bigger issue, if any of tje list has people picker column, then thay cannot see that column value(if that column value does not his/her own name). This means this column value will be always empty for "user A" when that peopel picker value is anything other than "User A". This happens for all the lists and libraries.
Even "User A" and "User B" are owner of that site, it behaves the same. But site collection administrator can see "created by" and "modified by" for all items for all the users.
It seems very strange for me. any help on this will be appreciated.
Thanks in advance,
SanbanHi,
You can try to create a new standard view, then select “created by” and “modified by” column under columns, next apply this view, finally check the effect.
Did you customize the permissions of the list or document library? Did you customize the permission of the item? For example, break the permission inheritance form its parents. If so, try to inherit permission from its parents, after that create a new standard view according to the steps above, then check the effect.
By default, permissions on lists, libraries, folders, items, and documents are inherited from the parent site. However, you can break this inheritance for any securable object at a lower level in the hierarchy by editing the permissions on that securable object (that is, creating a unique permission assignment) . For example, you can edit the permissions for a document library, which breaks the permissions inheritance from the site.
You can also try to create a new document library, then create a new document with user A, after that log into with user B, check the effect.
For more information about SharePoint : page level permissions, please refer to the following article:
SharePoint : page level permissions
http://blogs.msdn.com/brettrobinson/archive/2009/04/24/sharepoint-page-level-permissions.aspx
For more information about control access to sites, please look into the following articles:
About controlling access to sites and site content
http://office.microsoft.com/en-us/sharepointtechnology/HA101001441033.aspx
Permission levels and permissions
http://office.microsoft.com/en-us/sharepointtechnology/HA101001491033.aspx
For more information about how to create a view, please refer to the following article:
Create or change a view
http://office.microsoft.com/en-us/help/HA100215771033.aspx
Hope this helps.
Rock Wang
Rock Wang– MSFT -
Hi Guys,
It would be very helpful to me if anyone can share any 3rd party solution for the above feature?
I found a solution http://azurecp.codeplex.com/ which is really a very good solution and does what I want. As this is a critical requirement to my SharePoint, there needs a certain level of support (or call it Official Support) which is more justifiable
at management level. Hence, please share if you happen to know one please.
ChengHi,
As you said, AzureCP is third party solution, this is third party tools.
https://azurecp.codeplex.com/releases/view/125008
Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding
this product's performance or reliability.
Please refer to the following articles about intergrating sharepoint 2013 with Azure Active Directory:
Integrating SharePoint 2013 with Azure Active Directory – Part 1 Configuration
http://blogs.technet.com/b/speschka/archive/2013/05/10/integrating-sharepoint-2013-with-azure-active-directory-part-1-configuration.aspx
Using Microsoft Azure Active Directory for SharePoint 2013 authentication
http://technet.microsoft.com/en-us/library/dn635311(v=office.15).aspx
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Image Picker and People Picker secret
Hi again
For some time I was trying to get rid of 'Cancel' button in UIImagePicker and ABPeoplePickerNavigationController. Even though I previously managed to remove unnecesary stuff from ABPeoplePickerNavigationController, it looks like removing 'Cancel' button is beyond my skills No matter what I do, the cancel button is displayed on navigation bar. I tried to set RightBarButtonItem (or whatever the name) to nil for appropriate View Controllers (or should I say their Navigation items) but still no effect I tried to change that in init method, in viewWillAppear and every other place that may have worked, but it did not.
This is kind of strange, because when I needed to remove Groups view from ABPeoplePickerController, I simply gained access to viewControllers array inside viewWillAppear method, and substituted it with my custom array, and it worked
Any help is greatly appreciatedThere's a posting that will help you on this, but I couldn't find it.
Here's the code that works
Make sure you set the delegate (not the peoplePickerDelegate) to the class you will overwrite the navigationController: willShowViewController: animated method.
- (void)navigationController:(UINavigationController *)navigationController willShowViewController:(UIViewController *)viewController animated:(BOOL)animated
UIView *custom = [[UIView alloc] initWithFrame:CGRectMake(0,0,0,0)];
UIBarButtonItem *btn = [[UIBarButtonItem alloc] initWithCustomView:custom];
[viewController.navigationItem setRightBarButtonItem:btn animated:NO];
[btn release];
[custom release];
} -
People Picker/Edit Web Parts/More not working in IE11
So, we just installed IE11 in our company and found the following issues with SharePoint 2010:
People Picker not working
At Search site, when you type in string(s) and hit Enter, nothing happens (you must click the search button)
Cannot edit web parts on Wiki Page
After doing some exhaustive homework (and installing Sep 2014 CU to see they were fixed), the only 2 solutions are:
Run in compatibility Mode
Fix the below tag in the Master Page and People Picker headers (14 hive)
meta http-equiv="X-UA-Compatible" content="IE=8"
So, I just want to know if others have encountered this and what they did to resolve (compatibility mode or change the tags or other).
I have a ticket open with Microsoft, we installed Sept 2014 CU, and are still having these 3 issues.
Godspeed,
HerschelHi,
Thanks for posting your issue,
We know that IE11 has compatibility issues. Kindly follow below mentioned steps to solve this issue
1. Installed all the latest Update for IE 11
2. Add the site in compatibility Mode (Tools> Compatibility view settings> type site name> add)
3. Add the site in trusted sites and set the security Zone level to low ( IE> Internet Options> Security> trusted sites> sites>add your site there> ok> custom level> select low> reset> ok)
Also, browse the below mentioned URLs for more details to fix this issue.
http://www.proactivespeaks.com/2013/09/12/fixing-sharepoint-compatibility-issues-with-internet-explorer-ie-9-and-ie-10/
http://saiabhilash.blogspot.in/2012/12/people-picker-to-add-users-to.html
http://sinclairinat0r.com/2014/02/25/sharepoint-2010-people-picker-and-workflow-compatibility-fixes-for-ie10ie11/
I hope this is helpful to you, mark it as Helpful.
If this works, Please mark it as Answered.
Regards,
Dharmendra Singh (MCPD-EA | MCTS)
Blog : http://sharepoint-community.net/profile/DharmendraSingh -
Hi there,
I get this error when I perform a DB Attach upgrade from SharePoint 2010 to SharePoint 2013.
"web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode."
Any help is appreciated. Thanks.There is other way of fixing this issue apart from what Amit mentioned. Create a classic based web application in SP 2013 using PowerShell.
New-SPWebApplication -Name "TestApplication" -ApplicationPool "TestApplicationAppPool" -AuthenticationMethod "NTLM" -ApplicationPoolAccount (Get-SPManagedAccount "sppoc\spfarm") -Port 100 -URL "http://sp2013demo"
Now mount the content database from SP 2010 on to the web application created above
Mount-SPContentDatabase WSS_Content_100 -DatabaseServer SQL2012Demo -WebApplication http://sp2013demo:100
Once the mount is complete, convert the web application to use claims and migrate the user to use claims identity.
Convert-SPWebApplication -Identity "http://sp2013demo:100" -To Claims –RetainPermissions -Force
$w = Get-SPWebApplication "http://sp2013demo:100"
$w.MigrateUsers($True)
See my blog post about it: http://www.sharepointnadeem.com/2014/01/upgrade-from-sharepoint-2010-classic.html
Please remember to up-vote or mark the reply as answer if you find it helpful. -
When add a people picker (user column) in Word document (un the document Template) and try to add a name it stuck!
Is it a known issue?
keren tsurHi,
According to your description, I have tested in my environment and I have the same behavior.
Only if you type the wrong name in the first time, then you click the phone book to search the right name and save, it will stuck. It means if you do other operation(e.g. type the wrong name then click “resolve” button, then search in the phone book) and
repeat the operation above, it won’t stuck.
It is appreciate that you can submit a feedback to Microsoft:
https://connect.microsoft.com/
Thanks,
Dean Wang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
n Mac Mail on OS 10.5.8 I am receiving bogus emails which claim to be sent by people in my address book, but actually are not. How does this happen and how can I correct this problem
You said:
I am receiving bogus emails which claim to be sent by people in my address book, but actually are not.
...and:
Are you saying that my address book has not been hacked into? That others are getting these email addresses from another source?
This confuses me. Are you saying that you are receiving bogus e-mails from some of your contacts, or are you saying that they are receiving bogus e-mails from you?
If the latter, there are a number of reasons that people might be getting e-mail from you. Malware, though technically possible, is extremely unlikely. See Someone is sending messages from my e-mail address!
If the former, that's rather unusual. The only decent explanation I can think of is that a bunch of your Windows-using contacts got infected with something and their machines are being used to spam everyone in their contact lists, which would include you. -
People picker does not return users on Safari 7.0.6 and later.
Hi all,
I noticed that People picker having issue on Safari 7.0.6 and later. When adding new user, the wheel just spinning forever. But it works on other browsers, does anyone having the same issue or just me, any ideas?
Thanks in advance!Hi Soni,
You may try this and let us know if this fix the issue.
First, located the server that host the site with Safari issue. Trace down the “compat.browsers” file: inetpub/wwwroot/wss/VirtualDirectories/”web application name”/App_Browsers
Copy “compat.browser” and change it as .bak file.
Open “compat.browser” with notepad and locate:
<browser id="Safari2" parentID="Safari1Plus">
<controlAdapters>
<adapter controlType="System.Web.UI.WebControls.Menu" adapterType="" />
</controlAdapters>
</browser>
Copy the codes below and paste them right below the highlighted text:
<browser refID="Safari60">
<controlAdapters>
<adapter controlType="System.Web.UI.WebControls.Menu" adapterType="" />
</controlAdapters>
</browser>
The change must be made on all WFE servers
Then recycle the app pool for the Site
Hope this may anwser your question.
Vinh_MD -
Returning Name and Username from People Picker Field in Visual Web Part
Dear All
I am creating a visual web part that displays a list that I have created in SharePoint. One of the fields in the list is a People & Groups column type (People Picker) called 'Presented by'. In my web part, I would like to display the username and
the name of the person who has been 'picked' in this field. However, my using <%# Eval("Presented by") %> only displays their name. How do I get this field to also return their username?
Many thanks for your help
DanielYou ca use this code:- change it according to your need
int requestForUserID = 0;
string requestForUserLoginName = string.Empty;
string requestForUserName = string.Empty;
string userAccount = peoplePickerEmployee.CommaSeparatedAccounts;
string[] UsersSeperated = peEmployeeOnBehalf.CommaSeparatedAccounts.Split(',');
foreach (string user in UsersSeperated)
SPContext.Current.Web.EnsureUser(user);
SPUser spUser = SPContext.Current.Web.SiteUsers[user];
requestForUserID = spUser.ID;
requestForUserLoginName = spUser.LoginName;
requestForUserName = spUser.Name;
Mark ANSWER if this reply resolves your query, If helpful then VOTE HELPFUL
INSQLSERVER.COM
Mohammad Nizamuddin -
Configuring Basic Authentication with Username and password on BizTalk Schema Service
Hi,
I have published my schema as a webservice with WCF-BASICHTTP adapter in IIS 8.0.
I wanted to have a Basic Authentication(User name and password restriction).
I made the Receive location with Security mode as Transport and Transport Client Crediential Type as Basic.
I also set the Service in IIS with Basic Authentication only enabled.
But I don't know how to provide a UserName and Password Authentication.
Please provide your suggestions
Regards, Vignesh SHi,
Try & go through the below MSDN link as it explains configuring WCF BasicHttp adapter very well.
http://msdn.microsoft.com/en-us/library/bb246064(v=bts.80).aspx
HTH,
Sumit
Sumit Verma - MCTS BizTalk 2006/2010 - Please indicate "Mark as Answer" or "Mark as Helpful" if this post has answered the question -
People Picker field and Web service -- multiple round trips to get Display Name value
Using Sharepoint 2010 and Infopath 2010, I have created a form that validates fields entered within the form by connecting to a .Net web service created by someone else. One of the fields that I need to validate is a People Picker field
for the Project Manager.
The connection to the Web Service runs correctly except that the People Picker goes through the validation process 3-4 times. I know this because I have a MessageBox showing the value for the InnerXML that pops up 3 times. The
first time the MessageBox shows no value for the XML, the next time it shows a name, and the 3rd time it shows no value.
Here is the code I'm using in the Infopath form (without the Messagebox):
Dim wsConnection As WebServiceConnection = DirectCast(Me.DataConnections("Validate"), WebServiceConnection)
Dim formNavigatorProjectManager As XPathNavigator = MainDataSource.CreateNavigator()
Dim wsNavigatorProjectManager As XPathNavigator = Me.DataSources("Validate").CreateNavigator()
strformNavProjectManager = formNavigatorProjectManager.SelectSingleNode("/pr:properties/p:properties/documentManagement/ns3:ProjectManager/ns3:UserInfo/ns3:DisplayName", NamespaceManager).InnerXml
wsNavigatorProjectManager.SelectSingleNode("/dfs:myFields/dfs:queryFields/ns7:Validate/ns7:projectManager", NamespaceManager).SetValue(strformNavProjectManager)
wsConnection.Execute()
The line in BOLD above used to have just /pr:properties/p:properties/documentManagement/ns3:ProjectManager
but I thought my problem might be because People Picker fields are made up of 3 elements -- DisplayName, AccountID and Account Type. So I changed the XML. Sadly, that didn't make any difference.
I am using the CHANGED event which a colleague of mine thought would have taken care of the multiple round trips. But it didn't.
Hopefully someone out there can tell me what I need to do so that this People Picker field only get validated once (The form also has Managed Metadata fields that have very similar problems so I'm hoping that the solution for the People Picker field
takes care of the MMD fields too.) Thanks in advance. Carol.Hi Carol,
It is the behavior for setting People/Group field if you just select the node "/dfs:myFields/dfs:queryFields/ns7:Validate/ns7:projectManager".
Also you can try to only set the AccountID value of the People/Group field:
Dim wsConnection As WebServiceConnection = DirectCast(Me.DataConnections("Validate"), WebServiceConnection)
Dim formNavigatorProjectManager As XPathNavigator = MainDataSource.CreateNavigator()
Dim wsNavigatorProjectManager As XPathNavigator = Me.DataSources("Validate").CreateNavigator()
strformNavProjectManagerID = formNavigatorProjectManager.SelectSingleNode("/pr:properties/p:properties/documentManagement/ns3:ProjectManager/ns3:UserInfo/ns3:AccountID", NamespaceManager).InnerXml
wsNavigatorProjectManager.SelectSingleNode("/dfs:myFields/dfs:queryFields/ns7:Validate/ns7:projectManager/ns7:userinfo/ns7:AccountID", NamespaceManager).SetValue(strformNavProjectManagerID)
wsConnection.Execute()
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers
if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Eric Tao
TechNet Community Support -
Hi,
We have integrated SCCM and SCOM with SCSM to import the CI information in CMDB.
We are able to import few CI information from SCCM regarding softwares, OS, etc and from SCOM regarding hardware and discovered objects.
When we open the Computer CI in SCSM, we are able to relate almost all the fields from SCCM and SCOM expect Related items tab.
The Configuration Items: Computers, Services and People are empty under related items tab on Computer CI form.
Kindly please help me to understand regarding this related items tab.
Any help will be very much appreciated.
Thanks
Kumaresan LakshmananHi,
The Related Items is not automatically populated by any out-of-box connector. You can manually add related configuration items there. What were you expecting to show up under this section?
Regards,
Dieter
Maybe you are looking for
-
We use several hundred templates in eps format, so there is a lot dragging of files from windows explorer directly into Illustrator CC . However, when I hit the embed option, all the strokes are converted to shapes. We use a lot of dashed strokes s
-
Master/Details Form -- Relation Property
Is it possible to set the relation join condition property for a master/detail form programmatically. If so, what is the syntax? Thanks, Paul Howard [email protected]
-
Wanted Honolulu HI FCP 5 Studio User with discs
Hi Honolulu FCP Studio User, I moved from New York City back to my hometown of Honolulu HI. In the process of moving, I lost my discs for FCP Studio 5, the bundle that includes Compressor, Motion, DVD Studio Pro 4 and of course FCP 5. I had to get my
-
Dealing with functions not in class Object
Hi, while i was working on GJ i faced the following problem, when i write a generic class i have to take into my consideration those functions that i want to define for the row type class and not included in class Object (toSting() is in class Object
-
"Program Error" in PS/CS6 does not allow me to save in any format.
"Program Error" in PS/CS6 does not allow me to save in any format. I can't save as psd, jpg, tiff, large document format, etc. My only option is to quit without saving an hour's work. This has happened a dozen times sporadically.