locked
Private Personal Identifier with 2 nodes ADFS farm not same RRS feed

  • Question

  • Hello,

    I try to generate a PPID claim on ADFS windows 2019 with the rule (from 

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-a-custom-claim-rule) :

    c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]  
     => issue(store = "_OpaqueIdStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);

    But my setup is a two nodes ADFS Farm (with SQL cluster as a back end) behind a load balancer

    My problem is that each node generate a different PPID for the same user.

    To my understing adfs should generate the same PPID ?

    Is it possible (and how) with _OpaqueIdStore to generate same PPID form different servers of the same ADFS farm ?

    Thank you in advance. 

    Sunday, March 8, 2020 5:24 PM

All replies

  • Are both node running 2019?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, March 9, 2020 10:06 PM
  • Hello, Yes both nodes are at 17763.1039.

    Thanks in advance.

    Tuesday, March 10, 2020 9:25 AM
  • I can't repro on my lab. I am running 17763.1098.

    Note that there is a typo in your rule. The claim type starts with https instead of http.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 11, 2020 3:20 AM