Closed Bastien-RB closed 6 years ago
Hello,
I don't really understand your log. But are you using the new feature of ADFS 2016 used to declare a new local provider (an LDAP 3.0 repository) ? If Yes, have you configured it ?
If used these kind of script to add my Synolgy NAS as Local Provider
Get-AdfsLocalClaimsProviderTrust
Remove-AdfsLocalClaimsProviderTrust -TargetName Synology
`
$idStoreAccountUserName = "uid=root,cn=users,dc=contoso,dc=com"
$idStoreAccountPassword = "yourpassword" | ConvertTo-SecureString -asPlainText -Force
$DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $idStoreAccountUserName, $idStoreAccountPassword`
$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 636 -SslMode SSL -AuthenticationMethod Basic -Credential $DirectoryCred
$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred
$GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/commonname"
$Email = New-AdfsLdapAttributeToClaimMapping -LdapAttribute email -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
$WindowsAccount = New-AdfsLdapAttributeToClaimMapping -LdapAttribute uid -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
Add-AdfsLocalClaimsProviderTrust -Name "Synology" -Identifier urn:synology:contoso:com -Type Ldap -LdapServerConnection @($Directory) -UserObjectClass inetOrgPerson -UserContainer "cn=users,dc=contoso,dc=com" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName, $Email, $WindowsAccount) -AcceptanceTransformRules "c:[] => issue(claim = c);" -Enabled $true -OrganizationalAccountSuffix @("contoso.com)
Add-ADFSAttributeStore -Name Synology -TypeQualifiedName "Neos.IdentityServer.AttributeStore.LDAP, Neos.IdentityServer.Ldap.AttributeStore, Version=1.1.0.0, Culture=neutral, PublicKeyToken=175aa5ee756d2aa2" -Configuration @{"servername" = "ldap.contoso.com" ; "port" = "389" ; "username" = "uid=root,cn=users,dc=contoso,dc=com" ; "password" = "password" ; "secured" = "false" ; "root" = "dc=contoso,dc=com"}
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = "(uid={0});mail,mail", param = c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(memberUid={0});cn", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" => issue(claim = c);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "urn:synology:contoso:com"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";uid,,mail;{0}", param = c.Value);
Hello My LDAP working without MFA, AD working with MFA in AD MODE In SQL MODE AD and LDAP dont work
I configured MY ldap like you exept I didnt do this step Attribute Store.
I didnt see this step on this doc https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories
My ldap Config
_ $ldapuser = "uid=admin,ou=system" $ldappassword = ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force $DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapuser,$ldappassword
$EXTDirectory = New-AdfsLdapServerConnection -HostName LDAPSERVER -Port 10389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred
$DisplayName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute displayName –ClaimType "http://temp.org/identity/claims/displayName" $CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName" $email=New-AdfsLdapAttributeToClaimMapping -LdapAttribute mail -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" $Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory
-UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic
-AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
-AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)
_
Hello,
Yes Attribute Store is an old feature for ADFS and it's optional (only if you want more attributes for claims).
We have just, tested with SQL-Server, we have no problems. it works as well !
As you describe in first, it seems not related to MFA, but are you sure that your LDAP configuration is working ?
Does you configuration run as well, with LDAP Provider removed ?
Get-AdfsLocalClaimsProviderTrust
Remove-AdfsLocalClaimsProviderTrust -TargetName EXTERNAL
I don't see, in your script declaration for UPN
AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
MFA require this claim (see : Neos.IdentityServer.Multifactor.AdapterMetadata.cs)
Your are mapping email attribute to WindowsAccountName Claim. this is wrong ! You must map email attribute to UPN as AnchorClaimType.
Remember, the UPN is always the identity claims in federation context
Lest us Know, if this can resolve your problem
Regards
Hello,
I have change the ANchorClaimType :
Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory
-UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic
-AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
-AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)
It's OK for AD , but I have an another error with LDAP (LDAP its OK without MFA) Encountered error during federation passive request.
Additional Data
Protocol Name: wsfed
Relying Party: https://monapp.mestests.org/sampapp/
Exception details: System.IO.InvalidDataException: The identity information provided does not contain a Windows account name. at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
It's ok, I add uid dans mon LDAP mapped sur windowsaccount its ok now, thx for your help Do you sell support on this solution ?
Hi, this project is open source, and we are going to push regulary new versions. But, if you really want to have a support, contact neos-sdi (in french).
Regards
Hello,
I have a new problem (promise its the last) When I configure the SQL connexion to use many directory I have this error
With the Principal AD or a LDAP account :
Encountered error during federation passive request.
Additional Data
Protocol Name: wsfed
Relying Party:
Exception details: Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request. at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest.ParseEncodedRequestParts(String[] encodedRequestParts) at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest..ctor(String encodedGenericRequest) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetOriginalRequestFromResponse(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)