none
Multiple profiles for the same user (AD + ADFS)

    Question

  • Hi all,

    I have a Sharepoint farm. Some webapps are using NTLM-classic authentication, other SAML-claims authentication (ADFS) (we don't have NTLM-claims auth at the moment). Users can authenticate successfully to both types of webapps. But, I'm having problems configuring the User Profile Service.

    I've provisionned the UPS. I've created an Active Directory synchronization (for NTLM profiles). I've also created a synchronization connection for ADFS (connected to the same AD, same OU is used too, the "Claim User Identifier" is set).

    My problem is that in the "Manage User Profiles" page, when I search for users, some of them have a "Windows" profile, i.e. "DOMAIN\myuser". Some of them have an ADFS profile "i:0\.t|adfs|myuser@example.com". And some of them have both profiles -> this is what I would expect for all of them.

    So why do some users have only one profile? I found a very interesting post here:

    http://blogs.msdn.com/b/kaevans/archive/2013/05/23/sharepoint-2013-user-profile-sync-for-claims-users.aspx

    This guy has a setup similar to mine. However, he's using 3 different OUs, one for each type of authentication. Is this mandatory? Isn't it possible to have several profiles for the same user?

    I've looked at FIM, no errors, but a lot of profiles are filtered because of "Failed: Duplicate Object".

    Can someone help me, or at least tell me whether it is supported to have more than one profile?

    Thanks,
    Matth

    • Edited by Matth CH Tuesday, July 23, 2013 3:43 PM
    Tuesday, July 23, 2013 3:43 PM

All replies

  • If you want to have multiple profiles for the same user you would need to configure multiple sync connectors (you said OU but I think you meant sync)

    MCITP-EA | "Never test how deep the water is with both feet"

    Sunday, August 4, 2013 4:36 PM
  • The reason that you've got some but not all is that SharePoint will automatically generate a profile for you if your account logs into SharePoint and doesn't already have one. It makes sense in many cases but it'll almost certainly explain your patchy profile problem.

    The more interesting question is why are your users not being pulled in by your syncs. Have a look at the FIM logs and see if there's any errors. Also check the filter rules being used and consider re-provisioning the connection.

    Sunday, August 4, 2013 5:12 PM
  • What if I want to have a same profile, just different authentication providers?

    Namely, we have a default portal web app  with claims Windows NTLM authentication. We extended it to Extranet zone to secure external access for our internal users with ADFS and configured mappings.

    When inside network, user is read by SharePoint as DOMAIN\name.surname.

    When logging in from outside using ADFS, they are name.surname@domain.com. This way, they do not have access to their files, versions, tasks etc. They are the whole new profile to sharePoint. How can merge them? 

    Friday, January 15, 2016 12:36 PM
  • Having multiple profiles per user is not supported. You need to use a single authentication method across Web Applications for any one particular user. In addition, SharePoint sees a single SAML and Windows Auth user as two completely different users. Not only profiles, but permissions would be separate.

    You just need to direct everyone through ADFS, internally and externally. There is no workaround for this.


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, January 15, 2016 1:27 PM
    Moderator
  • How about changing the authentication type for a web app from claims Windows to classic Windows. Then use MS Azure MFA server downloaded from Azure portal and install it on SP web server itself. Then use IIS authentication tab in the MFA Server to add a MFA layer to it.

    This will not work with claims type web application. I will change it to classic and test it now with just Azure MFA server. 

    Monday, January 18, 2016 12:19 PM
  • There is no supported route to move from Claims to Classic. As to the rest of your post, i've never tried that, it'll be a support headache and block movement to 2013 and I wouldn't recommend it. Having said that, good luck.
    Monday, January 18, 2016 1:55 PM
  • @Alex Brassington How it that be a support headache and block movement to 2013? 
    Monday, January 18, 2016 2:07 PM
  • Claims is required for any OAuth2 enabled service - WFM, WAC, Exchange Task Sync, SharePoint Apps... There is zero reason to use Classic, nor would you want to.

    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, January 18, 2016 3:48 PM
    Moderator
  • I'd call it a support headache as it's a very unusual scenario, which means that if you need to fix something you'll struggle to find help. Also if you leave and someone else takes over they'll have to work out how it works before they can manage it.

    As Trevor says many 2013 based tools need Claims to function, it's not advisable to try running SharePoint 2013 in classic mode for a prolonged period but i'm not sure if it's explicitly unsupported to do so.

    It may seem excessive but using the ADFS will probably cause the least pain to your users, and you, over the long term.

    Monday, January 18, 2016 5:43 PM