none
Problem with AD group authentication on FBA enabled Project Server 2016 Webapp RRS feed

  • Question

  • I have Project Server 2016. I've config FBA base on this guide - https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/ee806890(v=office.14)#section2

    When I add FBA user in any Project group (for example "Team Members for Project Web App") - user can FBA authenticate on site and give access level based on group role. But whan I've try to add (Site settings - site permissions - any site role) FBA group (rolemanager:g2) I recieve following error - "Sorry, something went wrong. The user does not exist or is not unique.". 

    On ULS log I'm getting the following:

    08/17/2018 17:09:04.82 w3wp.exe (0x1FEC)                        0x07AC SharePoint Foundation          Resolve                        ax7nk Medium  Found multiple matches for resolution. Web: 'af904f57-5b8e-49bb-8c23-103a1f187fb1', WebApp: 'null', Input: 'c:0-.f|rolemanager|g2', PrincipalType: 'SecurityGroup', PrincipalSource: 'RoleProvider', MatchCount: '2'. 97b0859e-d0e8-80ca-0000-01d782af63af
    ---
    08/17/2018 17:09:04.82 w3wp.exe (0x1FEC)                        0x07AC SharePoint Foundation          Authentication Authorization  a7wir Unexpected GetUserInfoFromMembershipProvider: Request is in a web context and we can't find the user so we are failing. LoginName: 'c:0-.f|rolemanager|g2', bIsRole: 'True'. 97b0859e-d0e8-80ca-0000-01d782af63af
    ---
    08/17/2018 17:09:04.82 w3wp.exe (0x1FEC)                        0x07AC SharePoint Foundation          Claims Authentication          ax8ng Medium  ensureUserExistsInternal2: managedCodeInterop.getUserInfoFromMembershipProvider return values. bSuccess: 'False' wzLogin: 'c:0-.f|rolemanager|g2' wstrUserKey: '' 97b0859e-d0e8-80ca-0000-01d782af63af
    ---
    08/17/2018 17:09:04.82 w3wp.exe (0x1FEC)                        0x07AC SharePoint Foundation          General                        8kh7 High    The user does not exist or is not unique. 97b0859e-d0e8-80ca-0000-01d782af63af
    ---

    I've found that if I assign this FBA group (rolemanager:g2) rights on User Policy (CAS - Manage Web Application - My WebApp - User Policy) group add successfully and users (that belong to group r2) can authenticate on Project web site successfully.

    What I'm doing wrong?

    CAS web.config:

            <add name="membership"
    type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
    server="srv-dc01.home.loc"
    port="389"
    useSSL="false"
    userDNAttribute="distinguishedName"
    userNameAttribute="sAMAccountName"
    userContainer="DC=home,DC=loc"
    userObjectClass="person"
    userFilter="(ObjectClass=person)"
    scope="Subtree"
    otherRequiredUserAttributes="sn,givenname,cn" />

            <add name="roleManager"
    type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
    server="srv-dc01.home.loc"
    port="389"
    useSSL="false"
    groupContainer="DC=home,DC=loc"
    groupNameAttribute="cn"
    groupNameAlternateSearchAttribute="samAccountName"
    groupMemberAttribute="member"
    userNameAttribute="sAMAccountName"
    dnAttribute="distinguishedName"
    groupFilter="(ObjectClass=group)"
    userFilter="(ObjectClass=person)"
    scope="Subtree" />

    STS web.config:

            <add name="membership" 
                 type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
                 server="srv-dc01.home.loc"
                 port="389" 
                 useSSL="false" 
                 userDNAttribute="distinguishedName" 
                 userNameAttribute="sAMAccountName" 
                 userContainer="DC=home,DC=loc"
                 userObjectClass="person" 
                 userFilter="(ObjectClass=person)" 
                 scope="Subtree" 
                 otherRequiredUserAttributes="sn,givenname,cn" />

    <add name="rolemanager" 
                 type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                 server="srv-dc01.home.loc" 
                 port="389"
                 useSSL="false"
                 groupContainer="DC=home,DC=loc"
                 groupNameAttribute="cn"
                 groupNameAlternateSearchAttribute="samAccountName"
                 groupMemberAttribute="member"
                 userNameAttribute="sAMAccountName"
                 dnAttribute="distinguishedName"
                 groupFilter="(ObjectClass=group)"
                 userFilter="(ObjectClass=person)"
                 scope="Subtree" />
     
    Project Webapp web.config:
    <add name="membership"
    type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
    server="srv-dc01.home.loc"
    port="389"
    useSSL="false"
    userDNAttribute="distinguishedName"
    userNameAttribute="sAMAccountName"
    userContainer="DC=home,DC=loc"
    userObjectClass="person"
    userFilter="(&amp;(ObjectClass=person))"
    scope="Subtree"
    otherRequiredUserAttributes="sn,givenname,cn" />

            <add name="roleManager"
    type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
    server="srv-dc01.home.loc"
    port="389"
    useSSL="false"
    groupContainer="DC=home,DC=loc"
    groupNameAttribute="cn"
    groupNameAlternateSearchAttribute="samAccountName"
    groupMemberAttribute="member"
    userNameAttribute="sAMAccountName"
    dnAttribute="distinguishedName"
    groupFilter="(&amp;(ObjectClass=group))"
    userFilter="(&amp;(ObjectClass=person))"
    scope="Subtree" />
    Friday, August 17, 2018 5:43 PM