I have tried everything possible with my limited knowledge but I can't figure out whats wrong so hoping someone can just point the right direction.
I have an ADFS 2016 server which works fine with our internal AD but I wanted to configure it with AD LDS as I don't want to add accounts for all our customers in our internal AD server.
I have installed AD LDS on the same box that is hosting ADFS (will move it away later but just want to make it work) and followed the article by Microsoft. Some changes to this setup is that I am only using the UPN and Email attributes and not First, surname or givenName.
It seems when I use all the powershell commands from the article that I do get a local claims provider trust but when I try to login it always fails with error messages in the event log suggesting The object does not exist.
The user account definitely exists but I am not sure what is wrong. The application is only sending a username and password so I have defined a mapping to UPN which is same as the users email and also tried with the mail attribute.
What more information can I provide for someone to be able to guide me? Thanks
EDIT
I enabled trace debug for adfs and I can see the following errors:
LDAPAttributeStoreReader: Failed to retrieve attributes with filter (&(objectClass=inetOrgPerson)(mail=user@domain.com)) with error:
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
Server stack trace:
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.OnAttributeSearchComplete(IAsyncResult attributeSearchAsyncResult)
Also, some other errors that I can see
Failed to complete attribute store query with error:
The object does not exist.
Error code: NoSuchObject
Server response message: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.EndGetAttributes(IAsyncResult result)
at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.OnExecuteQueryComplete(IAsyncResult ar)
And a third one
LdapAccountStore: Failed to lookup the directory object for user user@domain.com on server.
Exception: The object does not exist.
Error code: NoSuchObject
Server response message: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
StackTrace: at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
ResultCode: NoSuchObject
ErrorMessage: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
MatchedDN: DC=domain,DC=com
StackTrace:
Server stack trace:
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.OnAttributeSearchComplete(IAsyncResult attributeSearchAsyncResult)