none
Problems using federated auth. for the WAP Admin portal

    Question

  • Hi

    I'm completely new to WAP and followed Marc van Eijk TechEd presentation on how to set up a test environment: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B317#fbid=

    The only difference is that I used my existing ADFS server (which also has a proxy). This went smoothly and I could log into the Tennant site with my domain account. I then tried to repeat the steps from the presentation to set up federated login for the admin site, but I run into problems and I’m not sure on how to troubleshoot this.

    I go to https://wapadmin.mydomain.com , is redirected, log in to ADFS and I’m redirected back. I then briefly see the same “progress circle” as you normally would, but then I get:

    “Access Denied

    User does not have permissions to access the Service Management API”

    If I Google that message, I end up for example here:

    http://contoso.se/blog/?p=4004

    I’ve tried to run the command and I also checked that the user is listed in the mp.AdminUsers/mp. AuthorizedAdminUsers in the Microsoft.MgmtSvc.Store database.

    Both the AdminSite and TenantSite is set up on port 443 with a proper wildcard certificate. The rest of the sites are on the same ports as when WAP was installed. All servers are 2012 R2.

    Any tips on how to solve this or to troubleshoot is will be greatly appreciated.

    Tuesday, September 02, 2014 7:51 PM

Answers

  • Hey Frank,

    I suspect you added the username in the format 'domain\alias'. AD FS, if you followed Marc's session will give you the UPN in the format username@domain.com. can you please double check this and add the UPN of the user?

    Please let me know if this is not the case and if so, it would be useful if you can give me the exact values you added.

    Thanks

    --

    Shri

    • Marked as answer by Frank Wiggum Tuesday, September 02, 2014 10:28 PM
    Tuesday, September 02, 2014 9:47 PM

All replies

  • Hey Frank,

    I suspect you added the username in the format 'domain\alias'. AD FS, if you followed Marc's session will give you the UPN in the format username@domain.com. can you please double check this and add the UPN of the user?

    Please let me know if this is not the case and if so, it would be useful if you can give me the exact values you added.

    Thanks

    --

    Shri

    • Marked as answer by Frank Wiggum Tuesday, September 02, 2014 10:28 PM
    Tuesday, September 02, 2014 9:47 PM
  • Hi

    Thank you!!! You are 100% correct, I added the user as 'domain\user' and by changing it to 'username@domain.com', I could log in successfully to the admin site.

    Tuesday, September 02, 2014 10:45 PM
  • Wanted to chime in here.  I found isn't that there's some problem with the format "DOMAIN\groupname".  The problem is that <DOMAIN> might not be what you think it is.  At least for me that was it.  Here's an example.

    In a lot of enterprises, the fully qualified domain name might be "america.enterprise.company.com".  Usually a domain also has a short name that you usually use when you see the format "DOMAIN\groupname".  Maybe [AM-ENT\groupname] in this case.  You are used to "AM-ENT" being synonymous and interchangeable with "america.enterprise.company.com."  So you type in Add-MgmtSvcUser -Principal = "AM-ENT\groupname" and it doesn't work.  As noted here, you can add individual users using their SAMName format as a workaround but the real trick is that in an ADFS token, your group names are formatted as america\groupname.  Notice it's not the familiar "short name" of your domain but rather the leftmost string in your fully qualified domain name.  Often those are the same string, but maybe not, as in my example.  So do:  Add-MgmtSvcUser -Principal = "america\groupname" and it works.

    Hope that makes sense and helps someone.

    Tom

    Wednesday, August 03, 2016 10:54 PM