People picker is showing another domain users which is not configured in LDAP Connection

[rama2108]

Hi All, I am facing an issue with People picker. In my SharePoint 2019 Farm- There are 2 LDAP Connections are present

Ex- 1. LDAPserver1.xyz.abc.com & 2. LDAPserver2.mnopq.com

When I am trying to search for the users in People picker- it is showing me 3 results from the domain from UPN-xyz.abc.com,abc.com and mnopq.com.

Permission levels given to Singh, Rama Kant (i:0e.t|adfs|singr103@xyz.abc.com)

Permission levels given to Singh, Rama Kant (i:0e.t|adfs|ramakant.singh@abc.com)

Permission levels given to Singh, Rama Kant (Admin) (i:0e.t|adfs|singr103_nz1@mnopq.com)

I tried to update the people picker settings with stsadm commands

stsadm -o setapppassword -password **

stsadm -o setproperty -pn peoplepicker-searchadforests -pv “xyz.abc.com;mnopq.com”,Farm Account,Password, -url WebApp. but this one did not help.

Kindly please suggest/help on this issue.

[Yvand]

LDAPCP has its own implementation to query LDAP servers and the standard peoplepicker commands (stsadm or powershell) have no effect, they affect only Windows authentication mode.

Can you explain what is wrong with the results you get?

If you think something is wong, you can look at SharePoint logs and filter on product/area LDAPCP

[rama2108]

Hi @Yvand .. Many Thanks for the response.

In SharePoint Logs below just 3 Entries being logged.

1.[LDAPCP] Got 1 result(s) in 1ms from 'LDAP://LDAPserver1.xyz.abc.com' with filter '(| (&(objectclass=user)(userPrincipalName=rama kant)) (&(objectclass=group)(sAMAccountName=rama kant)) (&(objectclass=user)(displayName=rama kant)) (&(objectclass=user)(cn=rama kant)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant)) (&(objectclass=user)(givenName=rama kant)) )' 2.[LDAPCP] 3 entity(ies) to create after filtering 3.[LDAPCP] Returned 3 entities from input 'rama kant'

My issue is like its showing (i:0e.t|adfs|[ramakant.singh@abc.com] is the extra entry in people picker. we have not set this anywhere. We need to remove abc.com domain from people picker. (When Site owners are providing access to users, they are getting confused like on which Entry they should provide the access)

our outlook, Teams and laptop logins is like ramakant.singh@abc.com however if we provide access on the ramakant.singh@abc.com UPN Claim on SharePoint site and when we try to browse the site, its not working through SSO and throwing Access denied.

If we provide access on i:0e.t|adfs|[singr103@xyz.abc.com], it works with SSO of ramakant.singh@abc.com in laptop.

Thanks

[rama2108]

Please find attached Claim Types Image-

https://user-images.githubusercontent.com/128623806/227484918-d0ebbdec-cbd4-42b9-b2a4-c91f671fc387.png

[Yvand]

It is not quite clear. Can you set LDAPCP logs in verbose to double check if your unexpected user is returned by LDAPCP:

"LDAPCP:*"| Set-SPLogLevel -TraceSeverity Verbose

[rama2108]

Hello @Yvand .. I have set the LDAPCP logs in verbose, unexpected user is returned by the logs. seems like unexpected users is coming from mnopq.com domain. its giving 2 results in logs like "Got 2 result(s) in 0ms from 'LDAP://LDAPserver2.mnopq.com' " Please find below logs-

[LDAPCP] Connecting to "LDAP://LDAPserver1.xyz.abc.com" with AuthenticationType "Secure, Signing", authenticating with credentials "***" and sending a query with filter "(| (&(objectclass=user)(userPrincipalName=rama kant)) (&(objectclass=group)(sAMAccountName=rama kant)) (&(objectclass=user)(displayName=rama kant)) (&(objectclass=user)(cn=rama kant)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant)) (&(objectclass=user)(givenName=rama kant)) )"

[LDAPCP] Connecting to "LDAP://LDAPserver2.mnopq.com" with AuthenticationType "Secure, Signing, Sealing", authenticating with credentials "***" and sending a query with filter "(| (&(objectclass=user)(userPrincipalName=rama kant)) (&(objectclass=group)(sAMAccountName=rama kant)) (&(objectclass=user)(displayName=rama kant)) (&(objectclass=user)(cn=rama kant)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant)) (&(objectclass=user)(givenName=rama kant)) )"

[LDAPCP] Got 1 result(s) in 2ms from 'LDAP://LDAPserver1.xyz.abc.com' with filter '(| (&(objectclass=user)(userPrincipalName=rama kant)) (&(objectclass=group)(sAMAccountName=rama kant)) (&(objectclass=user)(displayName=rama kant)) (&(objectclass=user)(cn=rama kant)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant)) (&(objectclass=user)(givenName=rama kant)) )'

[LDAPCP] Got 2 result(s) in 0ms from 'LDAP://LDAPserver2.mnopq.com' with filter '(| (&(objectclass=user)(userPrincipalName=rama kant)) (&(objectclass=group)(sAMAccountName=rama kant)) (&(objectclass=user)(displayName=rama kant)) (&(objectclass=user)(cn=rama kant)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant)) (&(objectclass=user)(givenName=rama kant)) )'

[LDAPCP] Got 3 result(s) in 9ms from all servers with query "(| (&(objectclass=user)(userPrincipalName=rama kant)) (&(objectclass=group)(sAMAccountName=rama kant)) (&(objectclass=user)(displayName=rama kant)) (&(objectclass=user)(cn=rama kant)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant)) (&(objectclass=user)(givenName=rama kant)) )"

[LDAPCP] Added entity: display text: 'Singh, Rama Kant', claim value: 'singr103@xyz.abc.com', claim type: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'

[LDAPCP] Added entity: display text: 'Singh, Rama Kant (Admin)', claim value: 'singr103_nz1@mnopq.com', claim type: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'

[LDAPCP] Added entity: display text: 'Singh, Rama Kant', claim value: 'ramakant.singh@abc.com', claim type: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'.

[Yvand]

@rama2108 the logs show no error or unexpected behavior, the entity ramakant.singh@abc.com is created because somehow LDAPCP found it in on of the LDAP servers. If you want to troubleshoot why exactly it is returned, I suggest you use the information in the log above to replay the LDAP request using the this PowerShell script.

[rama2108]

Thanks @Yvand .. Can you please like PowerShell script will not change any configuration modification.

Kindly let us know if we can get the official support from LDAPCP Team like troubleshooting the issue on screen share.

[rama2108]

Hi @Yvand .. I have just replayed the LDAP request using the PowerShell.. it is showing 2 entries with LDAP Server LDAPserver2.mnopq.com.. I have compared the AD attributes for both the Ids. The Extra Id is showing up the extra Attributes like msds-cloudextensionattribute7 {-1} msds-cloudextensionattribute8 {Sync} msds-externaldirectoryobjectid {User_--**} ms-ds-consistencyguid {** ****}

Kindly suggest if we can Hide or remove the extra people picker entry.. Thanks

[Yvand]

@rama2108 LDAPCP is a free, open-source project and there is no paid support for it.

Regarding your observation: You need to focus only on the LDAP attributes used in the LDAP query, which you copied previously: (| (&(objectclass=user)(userPrincipalName=rama kant*)) (&(objectclass=group)(sAMAccountName=rama kant*)) (&(objectclass=user)(displayName=rama kant*)) (&(objectclass=user)(cn=rama kant*)(!(objectClass=computer))) (&(objectclass=user)(sn=rama kant*)) (&(objectclass=user)(givenName=rama kant*)) )

It is only of those attributes which matches user ramakant.singh@abc.com, and it seems to be that the displayName is a good candidate. Why do you expect that it does not find it?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.