Issue with SQL SERVER

[Bastien-RB]

Hello,

I have a new problem (promise its the last) When I configure the SQL connexion to use many directory I have this error

With the Principal AD or a LDAP account :

Encountered error during federation passive request.

Additional Data

Protocol Name: wsfed

Relying Party:

Exception details: Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request. at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest.ParseEncodedRequestParts(String[] encodedRequestParts) at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest..ctor(String encodedGenericRequest) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetOriginalRequestFromResponse(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

[redhook62]

Hello,

I don't really understand your log. But are you using the new feature of ADFS 2016 used to declare a new local provider (an LDAP 3.0 repository) ? If Yes, have you configured it ?

Sample PowerShell Code to create a new local provider (LDAP 3.0 Repo)

If used these kind of script to add my Synolgy NAS as Local Provider

Get-AdfsLocalClaimsProviderTrust Remove-AdfsLocalClaimsProviderTrust -TargetName Synology ` $idStoreAccountUserName = "uid=root,cn=users,dc=contoso,dc=com" $idStoreAccountPassword = "yourpassword" | ConvertTo-SecureString -asPlainText -Force $DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $idStoreAccountUserName, $idStoreAccountPassword`

If Using SSL

$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 636 -SslMode SSL -AuthenticationMethod Basic -Credential $DirectoryCred

If not using SSL

$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred

Attributes mapping

$GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/commonname" $Email = New-AdfsLdapAttributeToClaimMapping -LdapAttribute email -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

$WindowsAccount = New-AdfsLdapAttributeToClaimMapping -LdapAttribute uid -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"

Local Claims Provider Creation

Add-AdfsLocalClaimsProviderTrust -Name "Synology" -Identifier urn:synology:contoso:com -Type Ldap -LdapServerConnection @($Directory) -UserObjectClass inetOrgPerson -UserContainer "cn=users,dc=contoso,dc=com" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName, $Email, $WindowsAccount) -AcceptanceTransformRules "c:[] => issue(claim = c);" -Enabled $true -OrganizationalAccountSuffix @("contoso.com)

Attribute Store

Add-ADFSAttributeStore -Name Synology -TypeQualifiedName "Neos.IdentityServer.AttributeStore.LDAP, Neos.IdentityServer.Ldap.AttributeStore, Version=1.1.0.0, Culture=neutral, PublicKeyToken=175aa5ee756d2aa2" -Configuration @{"servername" = "ldap.contoso.com" ; "port" = "389" ; "username" = "uid=root,cn=users,dc=contoso,dc=com" ; "password" = "password" ; "secured" = "false" ; "root" = "dc=contoso,dc=com"}

ADFS Sample Claims

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = "(uid={0});mail,mail", param = c.Value );

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(memberUid={0});cn", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c);

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" => issue(claim = c);

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "urn:synology:contoso:com"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";uid,,mail;{0}", param = c.Value);

Attribute Store Extension Sample

Neos.IdentityServer.Ldap.AttributeStore.zip

[Bastien-RB]

Hello My LDAP working without MFA, AD working with MFA in AD MODE In SQL MODE AD and LDAP dont work

I configured MY ldap like you exept I didnt do this step Attribute Store.

I didnt see this step on this doc https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

My ldap Config

_ $ldapuser = "uid=admin,ou=system" $ldappassword = ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force $DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapuser,$ldappassword

$EXTDirectory = New-AdfsLdapServerConnection -HostName LDAPSERVER -Port 10389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred

$DisplayName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute displayName –ClaimType "http://temp.org/identity/claims/displayName" $CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName" $email=New-AdfsLdapAttributeToClaimMapping -LdapAttribute mail -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email" $Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory -UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname) _

[redhook62]

Hello,

Yes Attribute Store is an old feature for ADFS and it's optional (only if you want more attributes for claims).

We have just, tested with SQL-Server, we have no problems. it works as well ! As you describe in first, it seems not related to MFA, but are you sure that your LDAP configuration is working ? Does you configuration run as well, with LDAP Provider removed ? Get-AdfsLocalClaimsProviderTrust Remove-AdfsLocalClaimsProviderTrust -TargetName EXTERNAL

I don't see, in your script declaration for UPN AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn MFA require this claim (see : Neos.IdentityServer.Multifactor.AdapterMetadata.cs)

Your are mapping email attribute to WindowsAccountName Claim. this is wrong ! You must map email attribute to UPN as AnchorClaimType.

Remember, the UPN is always the identity claims in federation context

Lest us Know, if this can resolve your problem

Regards

[Bastien-RB]

Hello,

I have change the ANchorClaimType : Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory -UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)

It's OK for AD , but I have an another error with LDAP (LDAP its OK without MFA) Encountered error during federation passive request.

Additional Data

Protocol Name: wsfed

Relying Party: https://monapp.mestests.org/sampapp/

Exception details: System.IO.InvalidDataException: The identity information provided does not contain a Windows account name. at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

[Bastien-RB]

It's ok, I add uid dans mon LDAP mapped sur windowsaccount its ok now, thx for your help Do you sell support on this solution ?

[redhook62]

Hi, this project is open source, and we are going to push regulary new versions. But, if you really want to have a support, contact neos-sdi (in french).

Regards