locked
ADFS 3.0 AD LDS account self-creation with smart card RRS feed

  • Question

  • I have ADFS 3.0 with AD LDS as a data store for authenticating external users in SharePoint's extended web application. The users are using their smart cards (client certificates) to access the application. For users who have never accessed the application before, I need to provide a self-registration or dynamically create their accounts on fly in AD LDS. Can someone tell how this can be done?

    Thanks in advance!


     
    Tuesday, May 3, 2016 5:51 PM

Answers

  • The same way as above.

    Custom website that behind the scenes updates AD.

    ADFS does not provide this functionality because its function is authentication not provisioning.

     

    • Marked as answer by iSunshine2 Tuesday, May 3, 2016 9:53 PM
    Tuesday, May 3, 2016 8:15 PM

All replies

  • Just to clarify:

    ADFS 3.0 only authenticates against AD not AD LDS (ADAM).

    You can use AD LDS as an authorization store in order to generate claims but that's all you can do.

    ADFS 3.0 has very limited customisation. The best you can do is to customize one of the links e.g. "Don't have a smartcard?" and that link takes you to a custom website that you will have to create that uses LDAP commands in order to update the repository.

    Tuesday, May 3, 2016 6:44 PM
  • I was under the impression that ADFS 3.0 can authenticate against AD LDS by looking at this technet article: https://technet.microsoft.com/en-us/library/dn823754.aspx

    This is not true?

    Tuesday, May 3, 2016 6:52 PM
  • Look at the top of the article:

    "Applies To: Windows Server Technical Preview"

    This is for ADFS 4.0 (Server 2016) - not yet released - currently Technical Preview 5 is out.

    Tuesday, May 3, 2016 6:57 PM
  • Thanks for the clarification. Got confused as I had got to the page by clicking the link off the page that also applies to 2012 R2. (https://technet.microsoft.com/en-us/library/dn448847.aspx?f=255&MSPPError=-2147217396)

    Now with the correction, let's say ADFS 3.0 is authenticating against AD, not AD LDS. How can I provide the self-registration for creating the new user account?

    Tuesday, May 3, 2016 7:57 PM
  • The same way as above.

    Custom website that behind the scenes updates AD.

    ADFS does not provide this functionality because its function is authentication not provisioning.

     

    • Marked as answer by iSunshine2 Tuesday, May 3, 2016 9:53 PM
    Tuesday, May 3, 2016 8:15 PM