locked
ADFS integration with Linux Ubuntu based LDAP server RRS feed

  • Question

  • Hi Team,

    I'm trying to integrate ADFS with Ubuntu based LDAP server (Open LDAP). I used below-mentioned links to integrate both technologies but when I'm trying to authenticate users, it says invalid ID and Password.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

    http://www.sparkhound.com/blog/adfs-4-now-allowing-you-to-authenticate-via-ldap

    I used both links and getting the same error. According to the second link, it will throw an error but can be rectified if some steps are followed but not happening.

    Can you help pls<g class="gr_ gr_16 gr-alert gr_gramm gr_inline_cards gr_run_anim Style replaceWithoutSep" data-gr-id="16" id="16">?</g>


    <g class="gr_ gr_16 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style replaceWithoutSep" data-gr-id="16" id="16">Regards</g> 


    Monday, June 25, 2018 4:24 PM

All replies

  • Does the ADFS-logs give any more information?
    Maybe its unable to connect to the LDAP in the first place?
    Wednesday, June 27, 2018 6:16 AM
  • <g class="gr_ gr_71 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="71" id="71">Thanks</g> Jorrk

    You are right. It says server unavailable. If I ping and do DNS lookup it resolves. I just created DNS host entry and point to LINUX Server.

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          6/28/2018 7:12:35 PM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          CLOUDFERN\hanuman
    Computer:      ADFS-2016.cloudfern.local
    Description:
    Encountered error during <g class="gr_ gr_66 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep gr-progress" data-gr-id="66" id="66">federation</g> passive request. 

    Additional Data 

    Protocol Name: 
    Saml 

    Relying Party: 
    http://adfs.cloudfern.in/adfs/services/trust 

    Exception details: 
    Microsoft.IdentityServer.AuthenticationFailedException: admin@technofern.local-The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---> System.IdentityModel.Tokens.SecurityTokenValidationException: admin@technofern.local ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException: The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnectionCore(String server, Boolean isGC, LdapConnectionSettings settings, LdapServerConfiguration& configuration)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.Open(LdapServerConnection server)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(Exception exception, IEnumerator`1 serverEnumerator, ServerDelegate2 proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(ServerDelegate proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.InitializeConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, Boolean overrideLocation, String location, SearchScope scope, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    System.IdentityModel.Tokens.SecurityTokenValidationException: admin@technofern.local ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException: The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnectionCore(String server, Boolean isGC, LdapConnectionSettings settings, LdapServerConfiguration& configuration)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.Open(LdapServerConnection server)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(Exception exception, IEnumerator`1 serverEnumerator, ServerDelegate2 proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(ServerDelegate proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.InitializeConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, Boolean overrideLocation, String location, SearchScope scope, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)

    Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException: The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnectionCore(String server, Boolean isGC, LdapConnectionSettings settings, LdapServerConfiguration& configuration)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.Open(LdapServerConnection server)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(Exception exception, IEnumerator`1 serverEnumerator, ServerDelegate2 proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(ServerDelegate proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.InitializeConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, Boolean overrideLocation, String location, SearchScope scope, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)

    System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2018-06-28T19:12:35.372457600Z" />
        <EventRecordID>2360</EventRecordID>
        <Correlation ActivityID="{69001F7E-4C6C-4866-3B00-0080000000EB}" />
        <Execution ProcessID="5680" ThreadID="5628" />
        <Channel>AD FS/Admin</Channel>
        <Computer>ADFS-2016.cloudfern.local</Computer>
        <Security UserID="S-1-5-21-1534445926-2158499381-900804357-500" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Saml</Data>
            <Data>http://adfs.cloudfern.in/adfs/services/trust</Data>
            <Data>Microsoft.IdentityServer.AuthenticationFailedException: admin@technofern.local-The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---&gt; System.IdentityModel.Tokens.SecurityTokenValidationException: admin@technofern.local ---&gt; Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException: The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---&gt; System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnectionCore(String server, Boolean isGC, LdapConnectionSettings settings, LdapServerConfiguration&amp; configuration)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.Open(LdapServerConnection server)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(Exception exception, IEnumerator`1 serverEnumerator, ServerDelegate2 proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(ServerDelegate proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.InitializeConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, Boolean overrideLocation, String location, SearchScope scope, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri&amp; replyTo, IList`1&amp; identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken&amp; ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    System.IdentityModel.Tokens.SecurityTokenValidationException: admin@technofern.local ---&gt; Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException: The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---&gt; System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnectionCore(String server, Boolean isGC, LdapConnectionSettings settings, LdapServerConfiguration&amp; configuration)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.Open(LdapServerConnection server)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(Exception exception, IEnumerator`1 serverEnumerator, ServerDelegate2 proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(ServerDelegate proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.InitializeConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, Boolean overrideLocation, String location, SearchScope scope, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)

    Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException: The LDAP server is unavailable.
    Error code: 81
    Server response message: 
     ---&gt; System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC, LdapConnectionSettings settings)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnectionCore(String server, Boolean isGC, LdapConnectionSettings settings, LdapServerConfiguration&amp; configuration)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.Open(LdapServerConnection server)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(Exception exception, IEnumerator`1 serverEnumerator, ServerDelegate2 proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerCollection.Execute(ServerDelegate proc)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.InitializeConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, Boolean overrideLocation, String location, SearchScope scope, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)

    System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
       at System.DirectoryServices.Protocols.LdapConnection.Connect()
       at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
       at Microsoft.IdentityServer.GenericLdap.Channel.ConnectionBaseFactory.GenerateConnection()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnectionHelper(String server, Boolean isGC, LdapConnectionSettings settings)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>




    Thursday, June 28, 2018 7:26 PM
  • OK, there you have it. 
    The LDAP server is unavailable from the ADFS-service point of view.

    Make sure all the openings/dns etc are in place and that the service account of the ADFS-service has permission to browse the LDAP. Can you try to browse LDAP from the server with you account, so you know that all the openings/dns etc. are in place? Because if that works its a permission thing with the ADFS-service account.

    Monday, July 2, 2018 11:39 AM
  • Can you copy/pate the configuration of your CP? Do you have spaces in the DN of your LDAP BaseDN?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, July 4, 2018 1:14 PM
  • Hi Jorrk,

    I tried to connect LDAP and it works fine. I see an error <g class="gr_ gr_19 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="19" id="19">saying </g><g class="gr_ gr_19 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="19" id="19">no</g> user found for that identity. I think ADFS is not able to forwward request to remote Linux servers and they are searched locally.

    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    <g class="gr_ gr_113 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="113" id="113">wsfed</g> 

    Relying Party: 
    https://app.cloudfern.local/claimsapp 

    Exception details: 
    Microsoft.IdentityServer.AuthenticationFailedException: ldpuser1@technofern.local-MSIS8017: No user account is found for identity 'ldpuser1@technofern.local'. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ldpuser1@technofern.local ---> Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8017: No user account is found for identity 'ldpuser1@technofern.local'.
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    System.IdentityModel.Tokens.SecurityTokenValidationException: ldpuser1@technofern.local ---> Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8017: No user account is found for identity 'ldpuser1@technofern.local'.
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)

    Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8017: No user account is found for identity 'ldpuser1@technofern.local'.
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.ValidateUser(IAuthenticationContext context)


    Regards Suman B. Singh


    Friday, July 6, 2018 9:19 AM
  • Greeting,

                     Can you share the configuration of your Claims provider trust created in your ADFS server which points to the LDAP server.

    Regards

    Eric

    Mark as answer if this helps


    Microsoft Forum Update

    Monday, July 9, 2018 7:22 AM
  • Hi Eric,

    Thanks for <g class="gr_ gr_38 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="38" id="38">reply</g>.  I beleive this is the one you are looking for.

    $ldapadmin = "uid=hanuman,ou=People,dc=technofern,dc=local"
    $pwd = ConvertTo-SecureString -String "hanuman@2009" -Force -AsPlainText
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $ldapadmin,$pwd

    $LdapDirectory = New-AdfsLdapServerConnection -HostName LDAPSrv.technofern.local -Port 389 `
    -SslMode None -AuthenticationMethod Basic -Credential $cred

    $CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn `
    -ClaimType http://schemas.xmlsoap.org/claims/CommonName

    $DisplayName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute "displayName" `
    -ClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    $UPN = New-AdfsLdapAttributeToClaimMapping –LdapAttribute `
    UPN–ClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/UPN” 

    Add-AdfsLocalClaimsProviderTrust -Name "LdapDemo" -Identifier "urn:ldapdemo" `
    -Type Ldap -LdapServerConnection $LdapDirectory -LdapAuthenticationMethod Basic `
    -UserObjectClass user -UserContainer "ou=People,dc=technofern,dc=local" `
    -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" `
    -AcceptanceTransformRules  "@RuleName = `"Issue All Mapped Claims`"`nc:[] => issue(claim = c);" `
    -Enabled $true -LdapAttributeToClaimMapping @($CommonName, $DisplayName, $UPN) `
    -OrganizationalAccountSuffix "technofern.local"  


    Regards Suman B. Singh

    Monday, July 9, 2018 7:44 AM