yvand / ldapcp Goto Github PK

When requestInfo.IncomingEntity.Value type is email

adUser = UserPrincipal.FindByIdentity(principalContext, requestInfo.IncomingEntity.Value)

FindByIdentity always returns null

We have installed LDAPCP on our SP2016 Farm, but when we attempt to add a user via their display name, we are told that there is 1 result, but nothing is returned

It works fine if you add the user via their SAMAccountName.

Scenario:

• We connect to a sub OU in the LDAPCP general settings to show only people from the employees OU in the people picker:
  campany.ch/users/employees
• The AD claims provider is set to invisible
• We don't want to include another OU: company.ch/users/students
• We need groups augmentation but the groups are not in the employees OU

Problem:

• We can't find groups because they are not in the employees OU

Workaround:

• We changed the OU to users root (company.ch/users) and configured filters to exclude users from students OU

Request:

• We'd like to configure a seperate LDAP base DN to query AD-groups for augmentation.

Does anyone know how to properly import the claim of Displayname? I have ADFS Sending DIsplay-Name, but the peoplepicker keeps showing the UPN in the window. If i HOVER over the account, it is also showing the cn=(Users full name) which iisi what i want, but how do i have the peoplepicker show the Display Name there?

Hi,

there is a subtle issue with the method "Augment" for the Claims Augmentation. If a WebApplication has multiple different authentication methods, e.g. Windows, Forms & ADFS, the method FillClaimsForEntity will be called with different kinds of identities, latest when a token is re-issued after 1 hour. This in turn alls Augment for the heavy lifting which in turn calls "RunWithElevatedPrivileges" as it's first action.
This call will result in a call to FillClaimsForEntity if the user is not a Windows user, e.g. a Forms user, creating an infinite loop resulting in a Stack Overflow.

• Eduard

.NET Framework 4.7 installed.

Error
[LDAPCP] Unexpected error while getting AD group membership of user [UPN OF USER] in LDAP://DC=bla,DC=ch using UserPrincipal.GetAuthorizationGroups(). This is likely due to a bug in .NET framework in UserPrincipal.GetAuthorizationGroups (as of v4.6.1), especially if user is member (directly or not) of a group either in a child domain that was migrated, or a group that has special (deny) permissions.: System.DirectoryServices.AccountManagement.PrincipalOperationException: While trying to retrieve the authorization groups, an error (5) occurred., Callstack:
at System.DirectoryServices.AccountManagement.AuthZSet..ctor(Byte[] userSid, NetCred credentials, ContextOptions contextOptions, String flatUserAuthority, StoreCtx userStoreCtx, Object userCtxBase)
at System.DirectoryServices.AccountManagement.ADStoreCtx.GetGroupsMemberOfAZ(Principal p)
at System.DirectoryServices.AccountManagement.UserPrincipal.GetAuthorizationGroupsHelper()
at ldapcp.LDAPCP.GetGroupsFromADDirectory(DirectoryEntry directory, RequestInformation requestInfo, AttributeHelper groupAttribute)

Solution
Give the account that accesses the AD the rights to the TGGAU as described here: https://support.microsoft.com/en-us/help/331951/some-applications-and-apis-require-access-to-authorization-information

Proposal
The clients AD guys didn't like to give these permissions. Maybe there exists another way to get the groups. It would be very nice if the permissions of the UPS sync account (replicate directory changes) would suffice. Maybe you could just add the KB article to the error message.

I'm sorry if this is something simple I have overlooked.

We've been using LDAPCP for a few years with 2 web applications that use ADFS in non-default zones. The people picker has been working perfectly. Recently, we've added a new web application that uses only windows authentication in the default zone. It has only the 1 zone.

From this new web app, when I use the people picker, I see results from AD as well as LDAPCP. The web app definitely does not have the ADFS Identity Provider enabled. I expected to only see the AD results. I checked an existing web app in the default zone (no ADFS enabled) and I also get LDAPCP results in the people picker.

Is this expected? Is there something that I might be overlooking? I don't have the latest version of LDAPCP installed. My version was from codeplex back in 2015.

Hopefully my question makes sense.

Hello Yvan,

Is it possible to modify LDAPCP Claim mapping with powershell, if yes can you share some example commands. We are basically trying to edit the current mappings of type "Add a LDAP attribute to query and specify claim type of the permission". Awaiting your reply. Thanks.

Hello @Yvand ,

I cannot find the option 'Show claim name in display text' since the last update in Claims mapping section?

Thanks

The solution was deployed globally correctly, but when I do this
$tokenIssuerName = “ADFS”
$trust = Get-SPTrustedIdentityTokenIssuer –Identity $tokenIssuerName
$trust.ClaimProviderName = “LDAPCP”
$trust.Update()

I'm getting this error:
Claim provider with name LDAPCP does not exist.

Hi Yvand, is there a way for me to get the wsp for SharePoint 2010?

Hello

I have an issue with the augmentation with an ldap server ( No AD)
I Have uncheck the box "This is an Active Directory server, use UserPrincipal.GetAuthorizationGroups "

But The augmentation doesnt work and I have this uls error. LDAPCP Try with the AD method

[LDAPCP] Unexpected error while getting AD group membership of user XXXXXXX in LDAP://xxxxxx:636/ou=XXX,o=XXX using UserPrincipal.GetAuthorizationGroups(): System.Runtime.InteropServices.COMException: Unknown error (0x80005000), Callstack: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)
at ldapcp.LDAPCP.GetGroupsFromADDirectory(DirectoryEntry directory, RequestInformation requestInfo, AttributeHelper groupAttribute)`

thx for you help

Hello,

I am trying to configure LDAPCP to search users in an LDAP directory. In this directory, user objects do NOT have the attribute "objectClass = user". They do have other classes, for instance "objectClass = person".

LDAPCP by default will create queries such as this one:
(&(objectclass=user)(displayName=john*))

This returns 0 results obviously, because no users have this objectclass. So I'm trying to create this query instead:
(&(objectclass=person)(displayName=john*))

But I don't understand how I can create this rule using the GUI? There seem to be no option to create additional "linked to identity claim" rules.

Am I missing something?

Matthieu

Note: my alternative would be to change the code: modify the GetDefaultAttributesList() in class LDAPConfig.cs.

Hi there,
We are using Sharepoint 2013 with your fab product.. ADFS works fine and so does LDAPCP..
When I choose a user in the people picker all I can get is (email address) [email protected] to work.. if I add the user as UPN then it does add but the user cannot get their permission ? Have you heard of this before ?

Thanks, Jason.

Hello @Yvand ,

We need your suggestion on below:

Scenario:
We have some SharePoint sites that are accessible to all in the organization as well as accessible to external users via default group 'Everyone'

Requirement:
Now there are some sites that shouldn't be accessible to external users, but should be accessible to members within the organizations. For this case the default group of Everyone doesn't help.

We know permission in SharePoint can be assigned via userID, Security AD group or default group like Everyone.

We would like to know if it it possible to assign permission on SharePoint based on “OUs”, “AD attribute” or “Wildcards” using LDAPCP.

Examples:

1. Assign permissions to all users of a particular OU. If there are different OUs for employees and external users.
2. Allow access to all users who have AD attribute “employeeType=Employee”
3. Allow access to all users who have userid starting with “X-****”

Awaiting your reply. Thanks.

I'm getting the following error on one of my two frontends, tried updating to the LDAPCP v2017-10 version but still having the same issues. Any (easy) fixes I could try?

Unexpected error in AugmentEntity: System.Runtime.InteropServices.COMException: Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX))., Callstack: at System.DirectoryServices.ActiveDirectory.DirectoryEntryManager..ctor(DirectoryContext context) at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context) at ldapcp.LDAPCP.GetLDAPServers(RequestInformation requestInfo) at ldapcp.LDAPCP.<>c__DisplayClass46_0.b__0() 653e729e-ad54-00a4-8c3b-e676486ce57a

I'm a big fan of this tool. I'm using it to implement SSO in our organization via ADFS. I have have couple of questions that I'm not sure are issues, but could be miss configuration.

1. I'm having trouble with showing results in people pickers. It shows my result if I type it in exactly, but it does not auto populate results (ie. "Josh") - there are several Josh's, but not even mine pops up in results. I have to type in my full name as it is shown in Display Name, or my exact GID. Then it shows my 1 result.
   

2. As you can see in the 2nd screenshot above, I'm not getting the Display Name where it should show. It's showing email instead. How can I change this to show the DisplayName?

We recently made it possible for users to search/grant access on the basis of groups. For some groups it works like a charm, but others were not found.

It seems all groups starting with 0-9 or A-F after the -character (corresponding to valid ASCII-characters) can not be searched, as soon as one starts to type a letter after the -character. This looks like a problem with the escaping/encoding of the -character. Is it possible to fix this issue?

Example:
groups with the name xy\ba-* exist and can be found and used by typing "xy", but as soon as one types "xy\b" they disappear.

Since I am using your claim prvoider LDAPCP, after I have installed it, it causes error (cannot pick the role or even pick UPN) when I use people picker to set the site collection administrator of my webapp in SharePoint Central Administrative site. However, the people picker works (could pick role) when I set the permission inside site permission inside the web app. But, I can't set the site collection administrator.

So, is it a bug or is it possible to solve it?

Hi Yvan,

Followed you instructions to LDAPCP to the latest version from version V3.7.0.0. After the upgrade I'm unable to connect to the administration link with the following error:

I run the steps to uninstall:

DisplayName   : LDAPCP
Scope         : Farm
Id            : b37e0696-f48c-47ab-aa30-834d78033ba8
RootDirectory : C:\Program Files\Common Files\Microsoft Shared\Web Server
                Extensions\15\Template\Features\LDAPCP

DisplayName   : LDAPCP.Administration
Scope         : Web
Id            : f8ebe160-61e5-4e90-8759-98458cbe99a4
RootDirectory : C:\Program Files\Common Files\Microsoft Shared\Web Server
                Extensions\15\Template\Features\LDAPCP.Administration

Those directories and files are there so I proceed to the next step to disable:

Get-SPFeature| ?{$_.DisplayName -like 'LDAPCP*'}| Disable-SPFeature -Confirm:$false
Disable-SPFeature : Could not load file or assembly 'ldapcp, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=b275ba6c8c5c2d2d' or one of its dependencies.
The system cannot find the file specified.
At line:1 char:51
+ Get-SPFeature| ?{$_.DisplayName -like 'LDAPCP*'}| Disable-SPFeature
-Confirm:$fa ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Share...tDisableFeature:
   SPCmdletDisableFeature) [Disable-SPFeature], FileNotFoundException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletDisableF
   eature

Disable-SPFeature : Required parameter URL was not specified for feature
'f8ebe160-61e5-4e90-8759-98458cbe99a4'.  The feature was not deactivated.
At line:1 char:51
+ Get-SPFeature| ?{$_.DisplayName -like 'LDAPCP*'}| Disable-SPFeature
-Confirm:$fa ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Share...tDisableFeature:
   SPCmdletDisableFeature) [Disable-SPFeature], ArgumentException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletDisableF
   eature

I also tried to just disable using Disable-SPFeature

Disable-SPFeature

cmdlet Disable-SPFeature at command pipeline position 1
Supply values for the following parameters:
Identity: LDAPCP

Confirm
Are you sure you want to perform this action?
Performing the operation "Disable-SPFeature" on target "Farm Scope
|b37e0696-f48c-47ab-aa30-834d78033ba8|15".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y
Disable-SPFeature : Could not load file or assembly 'ldapcp, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=b275ba6c8c5c2d2d' or one of its dependencies.
The system cannot find the file specified.
At line:1 char:1
+ Disable-SPFeature
+ ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Share...tDisableFeature:
   SPCmdletDisableFeature) [Disable-SPFeature], FileNotFoundException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletDisableF
   eature

I'm not sure how to proceed from here. Any assistance would be appreciated.

We have users that still appear that have been a) deactivated in AD, b) removed from the User Information List, c) user doesn't exist in UPA and d) deleted browser cookies and form data. In LDAPCP global configuration page -> Exclude disabled users (as documented in KB 827754) is checked.

Any ideas?

Thanks,
Miikka Lehtonen

Hi, I am having trouble with configuration. I have configured as specified in the documentation and receiving some issues in the SharePoint logs with the following:

[LDAPCP] Got 0 result(s) in 2ms from "LDAP://domain.com/DC=domain,DC=com" with query "(| (&(objectclass=user)(userPrincipalName=[email protected])) )"

Additional info:
-My Claim Identifier is "userPrincipalName" which shows as the users email address, [email protected]
-The user account login is similar to: tuser

Any help to get me over the hill here? Thanks!

Hi there,

I have connected our AD LDS with LDAPCP and it works fine, but I can only see Users not UserProxy accounts. We are using UserProxy accounts so that the password is not known on this side. Can LDAPCP find accounts which are UserProy in AD LDS ?

Hi there, We have an issue when converting Managed Metadata Service Application Windows claims authentication to SAML-based authentication. We are executing script Convert-ManagedMetadataServiceToTrusted.ps1 from the TechNet page https://technet.microsoft.com/en-us/library/dn745644.aspx.

It throws the following error:

Write-LogError : ERROR: Exception in ShouldExecute: Exception calling ".ctor" with "1" argument(s): "Exception of type 'System.ArgumentException' was thrown.
Parameter name: configuration"
At D:\install\Convert-ManagedMetadataServiceToTrusted.ps1:187 char:9

•     Write-LogError ("Exception in ShouldExecute: {0}" -f $_.Exception.Messag ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-LogError

Write-LogError : ERROR: Stack trace: at Create-Migrator, D:\install\Convert-ManagedMetadataServiceToTrusted.ps1: line 360
at ShouldExecute, D:\install\Convert-ManagedMetadataServiceToTrusted.ps1: line 169
at , D:\install\Convert-ManagedMetadataServiceToTrusted.ps1: line 694
at , D:\install\Convert-ManagedMetadataServiceToTrusted.ps1: line 691
at , : line 1
At D:\install\Convert-ManagedMetadataServiceToTrusted.ps1:188 char:9

•     Write-LogError ("Stack trace: {0}" -f $_.ScriptStackTrace)
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-LogError

And the corresponding ULS entry is:

10.27.2017 17:45:36.18 PowerShell.exe (0x5E80) 0x28CC SharePoint Foundation Claims Authentication amcpj Unexpected Trusted login provider has claim provider that isn't SPTrustedBackedByActiveDirectoryClaimProvider. TrustedLoginProvider: 'MESSI'. 2f19f817-4331-0000-f16e-482f3143d301

We are using your great product LDAPCP and earlier we associated to an SPTrustedIdentityTokenIssuer to work:
$trust = Get-SPTrustedIdentityTokenIssuer "MESSI"
$trust.ClaimProviderName = "LDAPCP"
$trust.Update()

Any help would be appreciated.

Thanks,
Miikka

hello,
since you fixed issue 53 new issue occured that a "" is before the role in Account. we use {fqdn}\ as claim value prefix.

Hi,

Great component! Solves our issue on the people picker when using ADFS as the Auth Provider. However, I'd like to ask this one, we have another SP that is going to use this one, it has more than one Web Server and its behind a Load Balancer, that being said do we need to run the PS to install LDAPCP to all Web Servers? Appreciate if you can provide your thoughts on this. Thanks.

We are using the LDAPCP add-in for our SharePoint Farm. We have finally got it to pull groups, but when the groups are added permissions for the users in the groups do not work. Is there any guidance on how this should work?

Hi Team

We having issues in setting up an alert for groups in Sharepoint 2010 and when we were working with Microsoft they advised us to download and install the LDAPCP file available on your website but we aren't able to update or add the solution. Please advise if the software available for download is compatible with Sharepoint 2010 or is it of use only for Sharepoint 2013 and 2016.

If you could share the suitable file that would be compatible with Sharepoint 2010.

Thanks
Rohini

Hi Yvand

I edited some information in Claims mapping and now I see this error display whenever I open Global Configuration page.
I deleted the entry in http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role in Claims mapping page

I see this error "There is no claim type associated with an entity type 'FormsRole' or 'SecurityGroup' display on top of Global Configuration page. I think may i need to recreate the entry again but I like to understand what I did and how to fix this.

could you explain what happen and how i can fix it.

Thanks

Swanl

Hi,

I started to use this provider a few days ago for testing and it seems like a solid solution. I have one minor issue though I am not sure if is supported or not and that is the usage of the objectSid attribute. When setting things up I get the attribute back but in binary form as stored in AD. So I think this will solve itself with a conversion to string? Is this a possiblity to implement or am I missing something here? I would very much like to use this with groups so renaming of groups would not interfere with access rules. We use this today with the default provider and the Token-Groups as SID's with no problem. Just the extra little admin fuzzle with copy pasting SID's.

Regards,
Vegard

I set up my claims mapping, added a custom claim, and set up a bypass for the custom claim and one for the mail claim. Everything is working great. However, when I access the claims mapping page in Central admin now, the settings seem to be back to the default. For instance, the "Prefix to bypass lookup" doesn't have a value in it but the prefix still works in SP. Also, the custom claim I added doesn't show up in the claims mapping page any more but it is still working too. Any idea? Not sure when this started as I didn't change anything that I know of.

One other thing I noticed. When I go to the global configuration page and click "Ok" (without changing anything), I get the following error:

Sorry, something went wrong
An update conflict has occurred, and you must re-try this action. The object LDAPCPConfig Name=LdapcpConfig was updated by [user], in the w3wp (7292) process, on machine [server name]. View the tracing log for more information about the conflict.

Thanks.

I am red/green color blind and the claims mapping page in central admin uses red/green colored text to signify if a claim is mapped or not. It would be nice to either have a column stating whether it is mapped or use colors that are more contrasting.

Thanks.

How to configure the following?

Set a keyword to bypass LDAP lookup. e.g. input "extuser:[email protected]" directly creates permission "[email protected]" on claim type set for this.

We've been having an issue in which the validation of a selected user from the people picker was filtered out by the system. The relevant log entries are

[LDAPCP] Got 1 result(s) from all LDAP server(s) with query "(| (&(objectclass=user)(userPrincipalName=******)) )"
[LDAPCP] 0 permission(s) to create after filtering

I looked at the code and honestly couldn't make out what the filter criteria were. Would you minde to share the list of all criteria which would lead to LDAPCP filtering out results?

Thanks!

Hi Yvan

We are experiencing this issue where users inteminnently are getting HTTP error 500 with message "The server is busy now. Try again later".
This happens after user is authenticatet and redirected to https://site/_trust/

In ULS I can see that calls to securitytoken.svc time out after 60 sec. It happens on both frontends.
The servers are not under pressure, doesn't look like a hardware capacity issue. Restarting SecurityTokenServiceAppPool seem to help but not for a long period.

This farm is using LDAPCP, and I'm wondering if our LDAPCP's configuration somehow contribute to the issue, specially the augmentation part of it.

• LDAPCP the only thing that is unique comparing to other farms

• Users can be members of up to 500 AD groups

• The token issued by ADFS contains claim "Role" with users group membership, but this is ignored and LDAPCP augmentation of "Role" is used, getting the same memberships from identity providers directly using LDAP

• Can see LDAP errors occuring in ULS, LDAP timeouts or LDAP Unknown error (0x8000500c). Usually when it happens users get "This page is not shared with you..." message

Is there anything with this configuration and symptoms that can cause securitytoken.svc timeouts when converting external to internal token og should I search for a solution somewhere else?

:: Sharepoint configuration

• Sharepoint 2016 RTM on Windows Server 2016
• Using claims authentication
• Federation provider: ADFS
• Identity providers: 2 active directories AD.DOMAIN1.ORG and AD.DOMAIN2.ORG
• Claim provider: LDAPCP
• Identity claim: UPN

:: LDAPCP configuration

• LDAP connections:
  LDAP://OU=UsersOU1,OU=Accounts,DC=AD,DC=DOMAIN1,DC=ORG
  LDAP://OU=UsersOU2,OU=Accounts,DC=AD,DC=DOMAIN1,DC=ORG
  LDAP://OU=UsersOU3,OU=Accounts,DC=AD,DC=DOMAIN1,DC=ORG
  LDAP://OU=UsersOU4,OU=Accounts,DC=AD,DC=DOMAIN1,DC=ORG
  LDAP://OU=UsersOU5,OU=Accounts,DC=AD,DC=DOMAIN1,DC=ORG
  LDAP://OU=Groups,DC=AD,DC=DOMAIN1,DC=ORG (used for groups augmentation in DOMAIN1)
  LDAP://AD.DOMAIN2.ORG (used for groups augmentation in DOMAIN2)

• Augmentation: Enabled

• Augmented Group Claim Type: http://schemas.microsoft.com/ws/2008/06/identity/claims/role

• LDAP connections used for augmentation ("This is an AD server" selected):
  LDAP://OU=Groups,DC=AD,DC=DOMAIN1,DC=ORG
  LDAP://AD.DOMAIN2.ORG

• LDAP query timeout: increased to 30, does not seem to help

• Additional LDAP filter for user attributes: Defined and present

:: Full exception from ULS

Claims Saml Sign-In: Could not get local token for trusted third party token. Exception: 'System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) - -- End of inner exception stack trace --- at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason) at System.ServiceModel.Channels.HttpChannelFactory1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) - -- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments)'. Stack: ' Server stack trace: at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments)'.

Hi

Is this "LDAPCP for Developers.zip" still available somewhere? It's referenced in the code and over at ldapcp.com but I can't seem to locate it anywhere.

Hi,

I have installed a Sharepoint 2016 on-premise. I have intergrated ADFS to be able to invite external users. But as we all know, after a ADFS integration the people picker doesn't resolve users from the AD very well. LDAPCP do fix this.

But, I cannot invite external user, I only getting an error message telling me that... I cant. :) Is there a setting or a way to make this possible?

Hi,

Installed and configured LDAPCP in SharePoint 2013. It all seems to be fine except the people picker doesnt return any results. i see the following errors in the log.

08/22/2017 12:02:52.44 w3wp.exe (SHPTSrvr:0x1478) 0x41F4 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 4 permission(s) to create after filtering b8cd119e-ad17-d04e-d6c0-f866acdad5be

08/22/2017 12:02:52.44 w3wp.exe (SHPTSrvr:0x1478) 0x41F4 LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Unexpected error in SearchOrValidate: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index, Callstack: at System.Collections.ArrayList.get_Item(Int32 index) at System.DirectoryServices.ResultPropertyValueCollection.get_Item(Int32 index) at ldapcp.LDAPCP.CreatePickerEntityHelper(ConsolidatedResult result) at ldapcp.LDAPCP.ProcessLdapResults(RequestInformation requestInfo, List1& LDAPSearchResultWrappers) at ldapcp.LDAPCP.SearchOrValidateWithLDAP(RequestInformation requestInfo, List1& permissions) at ldapcp.LDAPCP.SearchOrValidate(RequestInformation requestInfo) b8cd119e-ad17-d04e-d6c0-f866acdad5be

Hello @Yvand,

At present, we have a web application in SharePoint configured with an Identity Provider, with LDAPCP as a claim provider. Everything works as per the requirements in this case.

Now we have another web application in same SharePoint farm configured with a different Identity Provider. At this point, when tested the sites were accessible for this new second webapp. Now in this case when we try to map the same LDAPCP for the second webapp, the Claims mapping and the Global configuration page in Central Admin site loses it initial settings and the mapping values.

We had to remove the Identity Provider from the second webapp. After doing this, the Claims mapping and the Global configuration page in Central Admin site got its initial settings and mapping values restored back.

We would like to know how can we configure LDAPCP to work for multiple claims provider in the same SharePoint farm?

Awaiting your reply. Thanks.

We are seeing user name displayed with Login, Name and Email Address as three rows in the People Picker when we search for a Unique User. Identifier claim is configured correctly

I have been trying to deploy the solution and I am getting an error after following your fix issues with the setup due to it not installing right. The error on one server is The definition specifies a claim provider with a name already in use. What did I miss cleaning up?

I want to know how to remove record with (UPN) prefix from the result search ?
I tried in my environment and also saw your screenshot, when you search someone's account, it will appear 2 or 3 record which actually pointing to same person.
At least, can we distinct it?
Thanks.

Hello Yvan,

We have encounter an issue in our SharePoint environment using LDAPCP.

Consider a scenario where a user is granted XYZ permission via AD group in SharePoint (and not explicitly using his ID). Now when we do check permission with that user ID, it should show that this user has XYZ permission via that AD group, but it doesn't (it only shows the permission assigned to it via his ID).

This behavior is seen only on sites with custom Identity provider using LDAPCP and not on sites with AD NTLM.

Are we missing something? Awaiting your reply. Thanks.

Enabled the augmentation setting under ldapcp configuration page. Did a refresh and clear cache. Unfortunately while doing a checkpermissions on a user that is part of a security group the group is not listed.
Any additionally recommendations?

Hi,
We have an issue during pickup a user only for one webapplication (there is 5 webapplication):
Ldapcp return System.Byte[], and we have an error when we select it.

I just installed LDAPCP on a fresh SP2016 installation. I'm using ADFS as a trusted provider. Sync is working and pulling in profiles. I'm able to login. However, now that the LDAPCP is installed I am not getting any results in my people picker.

I have installed your solution on a 2013 farm and had good results so I'm wondering if maybe I missed a step.

Thanks in advance for your assistance.

Hello Yvan,

We have a scenario where certain users have their ID which is a subset for other user's ID like the below example.

User with ID: dpatil

For this user when we search in people picker with LDAPCP we see multiple entries like dptail1, dpatil2, dpatil10. In other words dpatil is a subset for other login IDs as well.

Now we have a service url that pulls the data from a list in SharePoint. Below is the snippet of the code that runs while accessing the service URL.

public static string GetCurrentUserLoginName(string loginName, ClientContext clientContext)
{

        var spUser = clientContext.Web.EnsureUser(loginName);
        clientContext.Load(spUser, user => user.LoginName);
        clientContext.ExecuteQuery();
        return ConvertUsernameToClaim(clientContext, spUser.LoginName);
    }

When such users (whose ID is a substring for other users ID as well in AD) try to access this service URL, they get error message “The specified user could not be found” in the browser.

However when we use the “Exact match” option in LDAPCP configuration page, this issue doesn’t occur for these users. But we cannot opt for this option for business reasons.

Question: Is there anything from LDAPCP side that can be done to tackle such scenarios when one user ID is a subset for other user IDs and accessing these service URLs?

Awaiting your reply. Thanks.

Hello,

I'm in a case where I would like to read an Active directory where the users are actually contacts and not users. How can I search on contacts in the directory instead of users?
Can you help me?
Any plan to make an option for this (search also in contacts and not only users) in your application?
This is because in the context of ADFS we use FIM to replicate users from a federated company and re-create them into our directory as contacts for security reasons. So we would do the people picker in our directory instead of the initial directory also for security reasons.
THanks

Our environment is set up to use ADFS with LDAPCP. I set the people picker so it doesn't query our NTLM AD. I set a bypass lookup so we can add external users to SP. Everything is working good.

However, I realized we have a special circumstance where I need to be able to add an NTLM user to SP permissions. I thought I could use the bypass prefix to avoid name resolution but it adds the ADFS prefix to the account when I add the permissions:

i:05.t|adfs|dmz\userName

I would like it to add it like so:

dmz\userName

is this possible? Can I create a special claim in SP and set LDAPCP to do this?