Comments (18)
@Yvand , thanks a lot for your responses. Appreciate it. The timeout issue got fixed by allowing crl.microsoft.com site in firewall. The servers do not have access to internet.
from ldapcp.
Hi @aerotodorr
LDAPCP plays a role when user signs in, if augmentation if enabled.
Can you try to disable it and check if timeout issue disappears?
from ldapcp.
Hi @Yvand
This farm is in production and it takes time to get this trough.
I'll let you know how it goes.
from ldapcp.
Hi @Yvand
We tried to disable LDAPCP augmentation today, but then users who were given access to site via group memberships (Role claim) got access denied error "This site is not shared with you... "
Tried to figure out why, and it seems that under LDAPCPs config page "Claim mapping", for Role claim, there is defined "Prefix to display" with value "{fqdn}"
and all groups that were given access to this site by that point have it prepended.
On the other side Role claim that comes with ADFS tokens consist of group names only (samaccountname), without prefixes. This mismatch caused access denied error.
When the prefix is removed on the "Claims mapping" config page, and access to same group is given again, now shown without the prefix, uses are able to acces pages with augmentation disabled.
Now the issue is how to easy convert these prefixes so the site is usable without augmentation.
Is it possible ho hack it somehow on LDAPCP level or by modifying those claims on ADFS level?
Do you have any ides and is this expected behavior?
from ldapcp.
Hi @aerotodorr, the only way is to migrate them, e.g.:
$oldlogin="c:0-.t|contoso.local|contoso.local\group1";
$newlogin="c:0-.t|contoso.local|group1";
[Microsoft.SharePoint.Administration.SPFarm]::Local.MigrateUserAccount($oldlogin, $newlogin, $false);
from ldapcp.
from ldapcp.
Hi @aerotodorr
Sorry for the very late reply. I just find SPFarm.MigrateUserAccount() much more convenient to use than Move-SPUser since it just takes 2 string parameters...
from ldapcp.
Thanks @Yvand
Just to let you know, disabling augmentation solved our issue.
from ldapcp.
HI Yvand,
I am still facing the same issue even though the augmentation setting was not enabled. Restarting the SharePoint IIS is resolving the issue only. If I am not wrong, I went to the setting as : Central Admin->Security->LDAPCP Configuration->Global Configuration->Augmentation->Enable augmentation (checkbox unchecked). Please help.
from ldapcp.
@KNareshChand What error exactly are you getting?
from ldapcp.
Thanks Yvand for the quick help.
This is the below error I am getting from ULS log
Claims Authentication 8307 Critical An exception occurred in LDAPCP claim provider when calling SPClaimProvider.FillClaimsForEntity(): Retrieving the COM class factory for component with CLSID {BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703fa Illegal operation attempted on a registry key that has been marked for deletion. (Exception from HRESULT: 0x800703FA).. 56ff379e-e938-f067-f602-ad570a5df7a0
12/19/2017 02:59:07.70 w3wp.exe (0x12B0) 0x1448 SharePoint Foundation Claims Authentication af3zp Unexpected STS Call Claims Saml: Problem getting output claims identity. Exception: 'System.Runtime.InteropServices.COMException (0x800703FA): Retrieving the COM class factory for component with CLSID {BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703fa Illegal operation attempted on a registry key that has been marked for deletion. (Exception from HRESULT: 0x800703FA). at Microsoft.SharePoint.Library.SPRequest..ctor() at Microsoft.SharePoint.SPGlobal.CreateSPRequestAndSetIdentity(SPSite site, String name, Boolean bNotGlobalAdminCode, String strUrl, Boolean bNotAddToContext, Byte[] UserToken, SPAppPrincipalToken appPrincipalToken, String userName, Boolean bIgnoreTokenTimeout, Boolean bAsAnonymous) at Microsoft.SharePoint.SPRequestManager.GetContextRequest(SPR... 56ff379e-e938-f067-f602-ad570a5df7a0
12/19/2017 02:59:07.70* w3wp.exe (0x12B0) 0x1448 SharePoint Foundation Claims Authentication af3zp Unexpected ...equestAuthenticationMode authenticationMode) at Microsoft.SharePoint.Administration.SPFarm.get_RequestAny() at Microsoft.SharePoint.SPSecurity.GetCurrentUserTokenNoApplicationPrincipalDelegated(SPWebApplication webApp, Uri siteUrl) at Microsoft.SharePoint.SPSecurity.GetCurrentUserToken() at Microsoft.SharePoint.SPSecurity.EnsureOriginatingUserToken() at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode) at Microsoft.SharePoint.Administration.Claims.SPClaimProvider.GetClaimsForEntity(Uri context, SPClaim entity, SPClaimProviderContext claimProviderContext) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderOperatio... 56ff379e-e938-f067-f602-ad570a5df7a0
12/19/2017 02:59:07.70* w3wp.exe (0x12B0) 0x1448 SharePoint Foundation Claims Authentication af3zp Unexpected ...ns.ClaimsForEntity(Uri context, SPClaimProviderOperationOptions mode, String[] providerNames, SPClaim entity, SPClaimProviderContext claimProviderContext) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentClaimsIdentityWithClaimProviders(SPRequestInfo requestInfo, IClaimsIdentity identity, SPClaim identityClaim) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)'. 56ff379e-e938-f067-f602-ad570a5df7a0
12/19/2017 02:59:07.70 w3wp.exe
from ldapcp.
I don't know the exact reason why this error is happening but there is pattern that the SharePoint site is used to work as usual but after some day(may be many users logged in to the site), the site stopped working and we see as usual yellow error screen and pointing the url to /_trust/default.aspx. After restarting the SharePoint server, the issue is gone and it used to work again.
from ldapcp.
@KNareshChand I think you likely face issue described in kb https://support.microsoft.com/en-in/help/3114011/800703fa-illegal-operation-attempted-on-a-registry-key-that-has-been-m
Can you try the solutions and confirm if it fixes the issue?
from ldapcp.
Thanks Yvand, I will try this solution and will update.
from ldapcp.
Hello All, I am facing the same issue in SharePoint 2019 farm. Could you please advise. I have configured/tried the below but none of them worked:
- App pool is started and also tried to Recycle the security token service pool
- Clearing SharePoint config cache
- IISRESET
- http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc URL can be browsed, shows a WCF page.
- Set LDAPCP as Claim provider
- Augmentation set to false
- Restarted the servers
- Reprovisioned SecureTokenServiceApplication
- Removed LDAPCP completely following https://ldapcp.com/Fix-setup-issues.html and installed again
- Central admin and timer services are started
Below is the error in ULS logs:
Claims Saml Sign-In: Could not get local token for trusted third party token. Exception: 'System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) --- End of inner exception stack trace --- at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason) at System.ServiceModel.Channels.HttpChannelFactory
1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
from ldapcp.
@NaveenAhuja-PD can you filter the SharePoint logs on the SharePoint STS process?
They should explain what is wrong
from ldapcp.
@Yvand , Sorry, I missed your response.
I tried to filter out but did not get any process that seemed relevant to STS. Can you let me know if there is any special keyword with which i should filter?
I tried to search with the STS URL and got some logs only like:
_The audience uri matches a trusted login provider provider realm. AudienceUri:urn:sharepoint:name
The absolute uri validation succeeded. AudienceUri:urn:sharepoint:name
STS Call Claims Saml: Successfully requested sign-in claim identity on behalf of user '05.t.....
AVF claim not present. Claim type: 'http://schemas.microsoft.com/sharepoint/online/2014/06/claims/authenticationvalidfromutc'.
I do notice one log as critical:
A certificate validation operation took 60036.021 milliseconds and has exceeded the execution time threshold. If this continues to occur, it may represent a configuration issue. Please see http://go.microsoft.com/fwlink/?LinkId=246987 for more details.
from ldapcp.
The certificate validation timeout is very likely the cause of the issue in the SharePoint STS process.
To identify the SharePoint STS process, run this command as administrator:
cmd /r %systemroot%\system32\inetsrv\appcmd list wp
from ldapcp.
Related Issues (20)
- Customization in LDAP solution HOT 3
- Replay LDAP query test returned user account result but people picker doesn't return this user account HOT 8
- Target Audience not working for LDAPCP groups added to sharepoint groups HOT 6
- LDAPCP on a non-ADFS federated setup HOT 2
- Domain groups can't be added after resolving it in people picker HOT 5
- LDAPCP on a farm with Windows / Kerberos authentication HOT 2
- need to remove the users with (role) prefix HOT 2
- Using Custom LDAPCP wsp and standard LDAPCP wsp HOT 9
- LDAP Filter for Two Classes HOT 4
- Augmentation does not work with Nintex Workflow and Other third party HOT 4
- Searching by Name on samAccountName HOT 2
- User Can't receive emails HOT 2
- EntraCP claimprovider issue HOT 4
- [LDAPCPSE] After adding a LDAPS connection as second option, going to global config page will error out HOT 21
- LDAPCPSE An item with LDAP newAttribute 'userPrincipalName' and LDAP class 'user' already exists for the object type 'User' HOT 10
- LDAPCP Second Edition - MaxSearchResultsCount. HOT 3
- [LDAPCPSE] question about search result windows size in peoplepicker HOT 4
- Filter on Active user by default HOT 5
- Unable to Connect to LDAP for the following reason: Unknow error (0x80005000) HOT 8
- Security regrading the package HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldapcp.