Thursday, February 19, 2015

ADFS : RPUrl and SharePoint

I blogged previously about how you get the RPUrl field in the wctx field to see the originator of the message.

Normally for a .NET application, you'll see:

wctx: RPUrl=https://domain/application...

However, for SharePoint, you configure two identifiers in ADFS i.e.


ADFS uses the urn in the RPUrl, so you'll see:

wctx: RPUrl=urn:sharepoint:application...

Which is a pain if you have to support both.


Tuesday, February 10, 2015

IIS : Application pool service account

IIS web sites run under application pools and if you look under "Advanced settings" you see an application pool runs under an Identity.

This Identity can be a number of accounts e.g. ApplicationPoolIdentity or NetworkService. But you can also set your own service account under "Custom account".

I needed to do this but kept getting:

"The specified password is invalid.Type a new password."


Had a conversation with Mr. Google. Seriously - about the only probable cause not mentioned was the proverbial kitchen sink!

Then I realised that this was a domain account so I needed to type:


Bang! Problem solved - sometimes we keep getting confused by all the trees.


Thursday, February 05, 2015

ADFS : Claims are URI

Answered this question over on the forum.

But for general interest.

Claims are URI and URL are a subset of URI so you would expect that URI look something like:


So you can't have a claim type of givenName.

To repeat:

Mapping Given-Name to givenName gives:

System.ArgumentException: ID4216: The ClaimType 'givenName' must be of format 'namespace'/'name'.

Mapping Given-Name to http://givenName gives:

MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ArgumentException: ID4213: Cannot parse the ClaimType 'http://givenName' into a constituent name and namespace.

Mapping Given-Name to works.

Which makes sense - you can't have a website with a URL of e.g. givenName.


Wednesday, February 04, 2015

ADFS : What happened to my roles?

Setting up a RP trust with the standard LDAP rule which maps "Token Groups - Unqualified Names" to Roles.

But when I enumerated the claims after RP authentication, some were missing?

WTF? when I do an AD memberOf, it displays them all?

Much  head-scratching and investigation and then I remembered that for this ADFS claims rule only non-local domain security groups are returned.

You can confirm this in ADUC by clicking on the Properties / General tab and looking at the group scope and type.

But what if you are not Domain Admin?

Allow me to recommend AD Explorer.

Tip - just click OK on the first page (don't enter credentials) and it will "find" the default DC.

Then navigate to the security group.

Under the attributes, look for groupType.

It will be something like -2147483646.

As per AD Attributes, this is a Global group.

But my missing Security group displayed  -2147483644 which is Domain Local.