This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Private Personal Identifier with 2 nodes ADFS farm not same

Question
0

Sign in to vote

Hello,

I try to generate a PPID claim on ADFS windows 2019 with the rule (from

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-a-custom-claim-rule) :

c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "_OpaqueIdStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);

But my setup is a two nodes ADFS Farm (with SQL cluster as a back end) behind a load balancer

My problem is that each node generate a different PPID for the same user.

To my understing adfs should generate the same PPID ?

Is it possible (and how) with _OpaqueIdStore to generate same PPID form different servers of the same ADFS farm ?

Thank you in advance.

Sunday, March 8, 2020 5:24 PM

All replies

0

Sign in to vote

Are both node running 2019?
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Monday, March 9, 2020 10:06 PM
0

Sign in to vote

Hello, Yes both nodes are at 17763.1039.

Thanks in advance.

Tuesday, March 10, 2020 9:25 AM
0

Sign in to vote

I can't repro on my lab. I am running 17763.1098.

Note that there is a typo in your rule. The claim type starts with https instead of http.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Wednesday, March 11, 2020 3:20 AM