locked
Configure ADFS on Windoes Server 2016 to authenticate users stored in LDAP directories RRS feed

  • Question

  • Good morning all,

    we are trying to test ADFS on Windows Server 2016 for authenticated users stored in another LDAP services (IBM Tivoli Directory Services).

    We follow the procedure documented here:
    https://technet.microsoft.com/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

    The problem is that ehan we run command Add-AdfsLocalClaimsProviderTrust we receive this error:

    Add-AdfsLocalClaimsProviderTrust : MSIS3328: Unable to query the LDAP servers. The supplied credential is invalid.
    Error code: 49
    Server response message:
    At line:1 char:1
    + Add-AdfsLocalClaimsProviderTrust -Name "testldap" -Identifier "urn:te ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Add-AdfsLocalClaimsProviderTrust], ArgumentException
        + FullyQualifiedErrorId : MSIS3328,Microsoft.IdentityServer.Management.Commands.AddLocalClaimsProviderTrustCommand

    These are the command that we use for credentials:

    $ldapuser = "uid=binduser,dc=test,dc=net" | ConvertTo-SecureString -AsPlainText -force
    $DirectoryCred = Get-Credential -username $ldapuser -Message "Enter the credentials to bind to the LDAP instance:"

    at this point we put password in the window appeared, then these commands:
    $vendorDirectory = New-AdfsLdapServerConnection -HostName 10.0.0.1 -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred

    $GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    $Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
    $CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"

    Add-AdfsLocalClaimsProviderTrust -Name "testldap" -Identifier "urn:testldap" -Type Ldap -LdapServerConnection $vendorDirectory -UserObjectClass inetOrgPerson -UserContainer "ou=users,dc=test,dc=net" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName) –AcceptanceTransformRules "c:[Type != ''] => issue(claim=c);" –Enabled $true 

    We checked credentials using another tool to connect to LDAP server (such as ldp.exe) and we are able to connect and browse external LDAP using the same credentials.

    What else we can check in order to troubleshoot and fix this issue?

    Thanks in advance,
    Luigi

    Monday, March 20, 2017 3:24 PM

Answers

  • I had the same issue, when using instructions from the TechNet article username being passed to LDAP server was "System.Security.SecureString" instead of "uid=binduser,dc=test,dc=net".

    I had to create PSCredential object like this:

    $ldapuser = "uid=binduser,dc=test,dc=net"
    $ldappassword = ConvertTo-SecureString -String "password" -AsPlainText -Force
    $DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapuser,$ldappassword

    With PSCredential object Add-AdfsLocalClaimsProviderTrust cmdlet didn't return an error.

    Bojan




    • Edited by Bojan Pasic Tuesday, March 21, 2017 9:30 AM
    • Marked as answer by Luigi Magnoni Tuesday, March 21, 2017 10:03 AM
    Tuesday, March 21, 2017 9:27 AM

All replies

  • Hi Luigi,

    This line

    $ldapuser = "uid=binduser,dc=test,dc=net" | ConvertTo-SecureString -AsPlainText -force

    Looks very wrong - you are converting the username to a secure string and then passing it to the get-credential command.

    Try this

    $ldapuser = "uid=binduser,dc=test,dc=net" 
    $DirectoryCred = Get-Credential -username $ldapuser -Message "Enter the credentials to bind to the LDAP instance:"

    Good Luck!

    Shane

    Tuesday, March 21, 2017 12:03 AM
  • I had the same issue, when using instructions from the TechNet article username being passed to LDAP server was "System.Security.SecureString" instead of "uid=binduser,dc=test,dc=net".

    I had to create PSCredential object like this:

    $ldapuser = "uid=binduser,dc=test,dc=net"
    $ldappassword = ConvertTo-SecureString -String "password" -AsPlainText -Force
    $DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapuser,$ldappassword

    With PSCredential object Add-AdfsLocalClaimsProviderTrust cmdlet didn't return an error.

    Bojan




    • Edited by Bojan Pasic Tuesday, March 21, 2017 9:30 AM
    • Marked as answer by Luigi Magnoni Tuesday, March 21, 2017 10:03 AM
    Tuesday, March 21, 2017 9:27 AM
  • Hi all,

    with Bojan indications I am able to solve it.

    Thanks a lot for your help,

    Luigi

    Tuesday, March 21, 2017 10:03 AM