locked
ADFS OAuth2 Password-Grant for LDAP Users RRS feed

  • Question

  • Hello!

    We are using ADFS 4.0 with two "LocalClaimProviderTrusts" aka Attribute Stores.

    One is an Active Directory and the other one is a LDAP (IPA) Server.

    For some usecases we use the non-interactive OAUTH2 Endpoint "/adfs/oauth2/token". Where "grant_type" is "password.

    And here we ran in a limitation: This endpoint only accepts AD Users. If we try to authenticate LDAP users with username and password against this endpoint, we get the following error in the event log indicating that ADFS is only searching for users in the Active Directory: "Username or Password wrong"

    System.ComponentModel.Win32Exception (0x80004005): Der Benutzername oder das Kennwort ist falsch
       bei Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
       bei Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
       bei Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
       bei Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)

    Is there any chance to recieve a JWT Token representing a LDAP User non-interactively?

    Thanks!

    Dave

     

    Friday, October 12, 2018 9:18 AM