locked
Claims Authentication - Security Groups not working RRS feed

  • Question

  • Hello All, 

    I've recently configured claims authentication on SharePoint. The infrastructure is as below: 

    1. Domain Controller for ABC.com 

    2. AD FS Server ABC.com 

    3. Domain Controller XYZ.com

    4. SharePoint Server on XYZ.com 

    5. A Client which is a member of ABC.com 

    With this setup, I'm able to login using the username and password of ABC.com users. However, for better administrative needs, I created a Security Group in Active Directory Users and Computers called as spusers@abc.com and add some users. After creating the group, I successfully added the group to SharePoint as well. When I try to access the SharePoint site with the credentials of the users who are part of the security group, it gives me a message saying "Sorry, this site is not shared with you". Are my settings correct? Are there any additional steps needs to be taken in to make the Security Group work? Your help is highly appreciated. 

    Regards,

    Srikanth Nagendranath

    

    Tuesday, May 19, 2015 6:17 AM

Answers

  • Hello All,

    Just to update everyone, I resolved the issue. Found out that the identifier claims was not right and therefore the security group was not working. I set the identifier claim to email address, and everything started to work. Thanks a ton for your help.

    Regards,

    Srikanth

    • Marked as answer by Srikanth N Thursday, July 16, 2015 6:41 AM
    Thursday, July 16, 2015 6:41 AM

All replies

  • Hi Srikanth,

    Can you provide a little more info on what claims you pass through to SharePoint in your AD FS server for ABC.com. Specifically, can you send a screenshot, or share info on the Edit Claim rules for the Relying party trust?

    I suspect you are not passing the Role (or incorrectly) which should be mapped to windows security group.

    If you need more information, please let me know.


    Nico Martens
    SharePoint/Office365/Azure Consultant

    Tuesday, May 19, 2015 8:26 AM
  • Claims Rules

    Hi Nico, 

    Thank you for the reply. Above is the screenshot of the claim rules? Your help is highly appreciated. 

    Regards,

    Srikanth N

    Tuesday, May 19, 2015 8:33 AM
  • Okay, it seems you have set up "Role" as outgoing claim type, which contains the AD Group.

    In your setup, I assume you have created a mapping, which includes this claimtype?

    Something similar to this?

    $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming


    <a href="http://sharepointrelated.com/about"><font color="maroon"><b>Nico Martens</font></a></b><br/> SharePoint/Office365/Azure Consultant<br/> <a href="http://twitter.com/MartensNico"><img src="http://nicosharepoint.files.wordpress.com/2012/05/twitter.png" border="0"></a><a href="http://sharepointrelated.com"><img src="http://nicosharepoint.files.wordpress.com/2012/04/blogicon.png" border="0"></a><a href="mailto:nico.martens@sogeti.nl"><img src="http://nicosharepoint.files.wordpress.com/2012/04/email_open.png" border="0"></a>

    Tuesday, May 19, 2015 8:38 AM
  • Hello Nico, 

    You're right, I've added a mapping called Role: 

    Claim Mapping Role

    Tuesday, May 19, 2015 9:10 AM
  • Hi Srikanth,

    For this issue, I recommend to verify the things below:

    1. Make sure that the token signing certificate from ADFS has been exported and added to SharePoint trusted root authorities.
    2. Make sure that the authentication method has been selected for the corresponding web application.

    Please check if there are any steps missing when configuring ADFS for SharePoint by following the steps in the links below:

    https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/

    http://social.technet.microsoft.com/wiki/contents/articles/10452.sharepoint-2010-how-to-install-and-configure-adfs-2-0-on-windows-server-2008-r2-for-sharepoint-2010.aspx

    Thanks,

    Victoria


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, May 21, 2015 4:30 AM
  • Hi Srikanth,

    How is everything going?

    Is there anything update about this issue?

    If you have any questions, please feel free to let us know.

    Thanks,

    Victoria


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 27, 2015 9:43 AM
  • Hello Victoria, 

    Sorry for the delayed reply. So far no luck. I've tried umpteen number of times but for some reason, it does not get resolved. I think I should open a support ticket directly with the SharePoint team. Once I open and resolve the issue, I'll get back to this thread and update everyone on the solution. 

    Regards,

    Srikanth Nagendranath 

    Monday, June 29, 2015 8:44 AM
  • Hello All,

    Just to update everyone, I resolved the issue. Found out that the identifier claims was not right and therefore the security group was not working. I set the identifier claim to email address, and everything started to work. Thanks a ton for your help.

    Regards,

    Srikanth

    • Marked as answer by Srikanth N Thursday, July 16, 2015 6:41 AM
    Thursday, July 16, 2015 6:41 AM