0

I have tried everything possible with my limited knowledge but I can't figure out whats wrong so hoping someone can just point the right direction.

I have an ADFS 2016 server which works fine with our internal AD but I wanted to configure it with AD LDS as I don't want to add accounts for all our customers in our internal AD server.

I have installed AD LDS on the same box that is hosting ADFS (will move it away later but just want to make it work) and followed the article by Microsoft. Some changes to this setup is that I am only using the UPN and Email attributes and not First, surname or givenName.

It seems when I use all the powershell commands from the article that I do get a local claims provider trust but when I try to login it always fails with error messages in the event log suggesting The object does not exist.

The user account definitely exists but I am not sure what is wrong. The application is only sending a username and password so I have defined a mapping to UPN which is same as the users email and also tried with the mail attribute.

What more information can I provide for someone to be able to guide me? Thanks

EDIT

I enabled trace debug for adfs and I can see the following errors:

 LDAPAttributeStoreReader: Failed to retrieve attributes with filter (&(objectClass=inetOrgPerson)(mail=user@domain.com)) with error:
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.

Server stack trace: 
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]: 
   at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.OnAttributeSearchComplete(IAsyncResult attributeSearchAsyncResult)

Also, some other errors that I can see 

    Failed to complete attribute store query with error:
The object does not exist.
Error code: NoSuchObject
Server response message: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain,DC=com'


   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.EndGetAttributes(IAsyncResult result)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.OnExecuteQueryComplete(IAsyncResult ar)

And a third one

    LdapAccountStore: Failed to lookup the directory object for user user@domain.com on server.
Exception: The object does not exist.
Error code: NoSuchObject
Server response message: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain,DC=com'


StackTrace:    at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
ResultCode: NoSuchObject
ErrorMessage: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain,DC=com'

MatchedDN: DC=domain,DC=com
StackTrace: 
Server stack trace: 
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]: 
   at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.OnAttributeSearchComplete(IAsyncResult attributeSearchAsyncResult)
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Junaid
  • 208
  • 1
  • 7

1 Answers1

1

So, Finally after a lot of trial and error, I found the fix for my problem. This applies mainly if you are setting up ADFS 4 with AD LDS authentication and have probably followed this Microsoft Article.

It may have been apparent to some but I struggled with it. When you follow this article, it does not mention that the account you use to bind to your AD LDS instance needs to be made a member of the Administrators group. Now when I figured out it had something to do with permissions, I tried to add the account to Administrator group in the configuration partition and that did not work obviously. So find the Administrator group in the Application partition you have created and make the account a member of it using DN.

One more thing I want to mention is this ClaimsXray tool by Microsoft which helped me figure out some other problems. Thanks

Junaid
  • 208
  • 1
  • 7