Symptoms

Using SingleSignOnRoleProvider2 to resolve Group Organization Claim names fails. This is commonly seen while attempting to resolve group claim names in SharePoint People Picker. The AD FS 1.1 debug log shows the following:

  • 2011-04-18T14:48:58 [INFO] Processing HTTP POST: https://adfs.contoso.com/adfs/fs/federationserverservice.asmx
  • 2011-04-18T14:48:58 [VERBOSE] Received message that is not SignIn Request or Response.
  • 2011-04-18T14:48:58 [VERBOSE] InternalGetTrustedRealmUri: email - Group Claim Name
  • 2011-04-18T14:48:58 [ERROR] Rejecting name 'Group Claim Name' because it lacks prefix


Cause
The Federation Service is not configured to allow anonymous resolution of group claim names.


Resolution
AD FS 1.1 in Windows Server 2008 and Windows Server 2008 R2 adds a feature which allows an administrator to decide whether to allow anonymous access to resolve Organization Claim names of type Group. This is implemented in a checkbox on the Advanced tab of the Federation Service Properties dialog in the AD FS 1.1 MMC console. If you wish to allow the anonymous access to resolve group claim names, you must check this checkbox. When SharePoint People Picker invokes SingleSignOnRoleProvider2 to resolve the name, this call to the FederationServerService.asmx is performed anonymously, and it is a requirement that the checkbox is checked on the Federation Service in order to allow the People Picker to function as expected.

More Information

AD FS 1.0 on Windows Server 2003 R2 allows anonymous access to resolve Organization Claim names of type Group by default, thus the checkbox described above does not exist in AD FS 1.0.