zettelkasten/61_ADFS.md at 5a108aa2b4135af0e72d7a64654b59c91b3e7032

ralfk/zettelkasten

Fork 0

Ralf Koop 5a108aa2b4 .

2023-08-25 23:29:11 +02:00

25 KiB

Raw Blame History

ADFS

Mittwoch, 24. Oktober 2018

07:51

Auf dem Server BKKADFS001 im AD FS Management Tool folgende Einstellungen vornehmen.

$Computergenerierter Alternativtext: SPQ-PortaI Properties Erooi-ts Proxy Erbonts Advmced Specfy sethgs Yis reb\'hg paty tn.--- Rey-ing paty•s URL: Ü)) update relying fede-ati:n meadäa däa was che:ked on relying p 3ty W\" fron$ {width="3.5625in" height="4.489583333333333in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:27]{.mark}

$Computergenerierter Alternativtext: SPQ-PortaI Properties Erooi-ts Proxy kd•vmced Specfy name forths reb•ing Party tn.\* Display na-re paty : https-Jhscontoso Rey-ing paty idäifte• https/fp.MS de/ / shu•epoirt$ {width="3.53125in" height="4.479166666666667in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:28]{.mark}

{width="3.5104166666666665in" height="4.489583333333333in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:28]{.mark}

$Computergenerierter Alternativtext: SPQ-PortaI Properties Erooi-ts Proxy Erbonts kdvmced Spe&y tl-e verficaten cetficäes raue\* s from ths reb\'ing$ {width="3.4895833333333335in" height="4.479166666666667in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:28]{.mark}

{width="3.53125in" height="4.479166666666667in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:29]{.mark}

{width="3.4895833333333335in" height="4.4375in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:29]{.mark}

{width="3.53125in" height="4.479166666666667in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:29]{.mark}

$Computergenerierter Alternativtext: SPQ-PcrtaI Properties Er-amon So---Aue The Wowing sf-en the proxied endpcO-ts frths reb\'ing paty This refrg is throu\$n a applicati.Tl$ {width="3.5in" height="4.489583333333333in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:29]{.mark}

$Computergenerierter Alternativtext: SPQ-PortaI Properties Er---Alon SO---Aue Ax---tedCISms Spe&y any rotes abo•..t the reb\'ing Party tn.---$ {width="3.5104166666666665in" height="4.4375in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:30]{.mark}

$Computergenerierter Alternativtext: SPQ-PortaI Properties SO---Aue kcc---tedaams secue hash to forthis p-8ty SK-ure hash \*ortthrm SHA-256$ {width="3.53125in" height="4.447916666666667in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:30]{.mark}

$Computergenerierter Alternativtext: Edit Claim Peli Iss•ance Trmsform Rules be Sert t o reb•ng p arty„ RLie Name E-MAI Edit Rule • Email You can corfOJre this to smd the ci LDAP as daimy Séæ an attri•fe Ole from WWch extract LOAF attrbJtes Spæfyhowtf-e \*thbutes m--- to tf-e ct_tgøng daim types thä iss_ed from the ruÉ. nie rare : template: Send LDAP ktnb_tes Claims ktrib\'.te Store: ktive Chrectory LDAP to outgong Spes AP ktribue type to add • Lhgudhed Ougcing Clair, (Select type to add rnore) v E-MAI Address v name V\'ew$ {width="9.28125in" height="5.635416666666667in"}

Erfasster Bildschirmausschnitt: 23.10.2018 13:26

$Computergenerierter Alternativtext: Reiyinq Party Trusts s 9 T- patal Enabled WS-True \" SANL / WS-FSer\*on https:f.\'bxalatbkkqobloide/\_true/$ {width="9.614583333333334in" height="1.0in"}

[Erfasster Bildschirmausschnitt: 21.09.2018 10:31]{.mark}

SPQ-Search & SPQ-MySite konfigurieren - Done

Mobilnet

Im ADFS Management Tool - Add Relying Party Trust

Auswahl: Claims Aware - Enter data about the relying party manually - Display Name eingeben - next - enable support for the WS-Federation Passive protocol "enable" und https://xxx-spq.bkk-mobiloil.de/_trust/ eintragen - next und dort den Urn eintragen, danach bis ende "next" klicken. Überprüfen, siehe die nächsten beiden Screenshots.

$Computergenerierter Alternativtext: SPQ-MobiInet Propefties MondMng Identiiers Encryvtbn Signature \*dpoints Notes he endpcä-ts to for SAML arz WS-Feder\*ionpassive prctccols WS- Federaticn Passive Endpcints Ftp\' W \_ Trun.\" Add WS-Fe&äion hdex Binding POST$ {width="3.5in" height="4.46875in"}

Erfasster Bildschirmausschnitt: 14.11.2018 11:06

$Computergenerierter Alternativtext: SPQ-MobiInet Propefties Organiz\*izn \*dpoints Notes Mvarced he display name and idertfiers for this , name E PO-Mobilnet paty Exæoe https/,fs Reb•ng paty identiiers: https•,\'.•hzbå•\*spqbkk,mobiloide/ Trust\" SV 2016$ {width="3.4895833333333335in" height="4.458333333333333in"}

Erfasster Bildschirmausschnitt: 14.11.2018 11:27

Edit Claim Issuance Policy für den Relying Party Trust:

Add Rule - Send LDAP Attributes as Claim - Claim rule Name vergeben und Attribute store auswählen. Danach wie im Screenshot unten zu sehen ausfüllen.

$Computergenerierter Alternativtext: Add Transform Claim Rule Wizard Configure Rule Rule Type C•figue Yeu cm confvxe the rule the values LOAF as claims. Select an Etrib_te Store fern which to extrB.z2 L DAF attrbÆs. Speciy how the attrbutes to the ougoing Clair. types that wil be •s_ed from the rüe Clärn de name: Rüe Send LOAF ktribLtes as Clans Active Chreday LDAP \*thbees to typ---s. CD AP kthb\'\_ne (Select orVpe add Tore) E-Mai-Addresses LI • Name S SAM -Name Outgoing Type (Select er type to add more) v E-Mail Ad&ess$ {width="2.9895833333333335in" height="2.59375in"}

Erfasster Bildschirmausschnitt: 14.11.2018 11:05

$Computergenerierter Alternativtext: Service Access Ccntrcl Policies Relying Party Trusts Claims Provider Trusts Applicaticn Groups Reiyinq Party Trusts SPVMFtes spa.Mys,te Type WS-Trust / SAML / WS-Federatim W S•TnX / SAML r\' WS-Trust / SAML I\' WSFederåtcn WS-Trust / SAML / WS-Federaticn WS.TuM SAML S4LI\_ s al -»t bkknobloi de/ \_trÄJ https\'.//hr,•seesot.bkkqnobilo\' de/ true https //search-spt Ekkff&doil W \_tr\*j trust \'Just everyone Ferrit everyone Per-M ew-•pne$ {width="11.302083333333334in" height="1.6354166666666667in"}

Erfasster Bildschirmausschnitt: 05.11.2018 11:00

[AN KAY BENSCHEIDT -> neuen URI gesetzt urn:spq-portal:sp2016 Bitte BEACHTEN]{.underline}

[weitere Änderung UPN/ROLE/Email für ADFS nachschauen]{.underline}

Auf dem Server bkkspqapp001 folgende Befehle in der SharePoint 2016 Management Shell ausführen, als Administrator. (ACHTUNG! Korrigierte Befehle unten!!!)

$adfscertPath = "d:\ADFS-Signing-fs-bkk-mobil-oil-de.cer"

$realm = "urn:spq-portal:sp2016"

$signInURL = "https://fs.bkk-mobil-oil.de/adfs/ls"

$adfscert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($adfsCertPath)

New-SPTrustedRootAuthority -Name "ADFS Token Signing Cert" -Certificate $adfscert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming

$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS4" -Description "ADFS provider" -realm $realm -ImportTrustCertificate $adfscert -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap,$sidClaimMap -SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType

Realms hinzufügen:

$uri = "https://mysites-spq.bkk-mobiloil.de/"

$realm = "urn:spq-mysites:sp2016"

$ap = Get-SPTrustedIdentityTokenIssuer "adfs4"

$ap.ProviderRealms.Add($uri, $realm)

$ap.update()

$Computergenerierter Alternativtext: PS C: VJsersXcfg-spqAdmir» PS C: WsersXcfg-spqAdmirD PS C: XUsersXcfg PS C: VJsersXcfg-spqAdmin» PS C: VJsersXcfg-spqAdmir» PS C: Wsersxc+g- spqAdmi \$uri \"https : / /mysites - spq . bkk-nobiloil . de/\" \$realm \"urn :spq-mysites: sp2e16\" \$ap - Get-SPTrustedIdentityTokenIssuer \"adfs4\" \$ap. ProviderReaIms. Add(\$uri, \$realm) \$ap. update()$ {width="5.364583333333333in" height="0.9583333333333334in"}

Erfasster Bildschirmausschnitt: 24.10.2018 09:56

$Computergenerierter Alternativtext: rovi derUr\'i roviderSignOutüri faultProviderRea1m rovi derRea1ms aimTypes SCI aimTypeInfornation Naim Type Information lai mProviderName seneplyparameter seWHomeReaImParameter roupC1aimType egisteredIssuerNane IdentityClaimTypeInformation scription igni ngCertificate ditiona1SigningCertificates tadataEndPoint IsAutomatica11yUpdated ypeName ispIayNane tatus arent ersion ploymentLocked roperties F arm gradedPersistedProperties C : WsersNcfg-spqAdmin» https : bkk-nobil -Cil. de/adfs/ls urn:spq-portal : sp2e16 (Ihttps://mysites-spq.bkk-mobiloil.de/, (https://search-spq.bkk•nobiloil.del, : (http://schemas.xm1soap.org/ws/2øø5Æ5/identity/c1aims/emailaddress, http://schemas.microsoft.com/ws/2088/86/identity/claims/role) True • (EmailAddress, Role) LDAPCP False False . Microsoft. SharePoint. Administration. Claims .SPTrustedClaimTypeInformation • ADFS provider • (Subjectl CN-ADFS Signing - fs.bkk-mobil-oil.de (Issuer•l CN-ADFS Signing - fs.bkk-mobil-oil.de (Serial Number) 7CØ65BF6BAF9B8A44ØC8BCF49063666 (Not Beforel lg.ø7.2e18 11:48:22 (Not After) lg.ø7.2e1g 11:4Ø:22 Thumbprint) 683412ES78936371C616ecø2A484FE19E37ASEDF False • ADFS4 . Microsoft. SharePoint. Administration. Claims .SPTrustedLoginprovider ADFS4 • f174gab2-f1e7-44e7-8cfb-4a8fb2ebsecc . Online SPSecurityT0kenSeffJice\"anager Name-SecurityTokenServiceManager • 7ee71 False • SPFarm$ {width="8.583333333333334in" height="8.28125in"}

Erfasster Bildschirmausschnitt: 24.10.2018 09:58

Realms hinzufügen:

$uri = "https://search-spq.bkk-mobiloil.de/"

$realm = "urn:spq-search:sp2016"

$ap = Get-SPTrustedIdentityTokenIssuer "adfs4"

$ap.ProviderRealms.Add($uri, $realm)

$ap.update()

[IF GroupClaimType in SPTrustedIdentityTokenIssuer IST LEER DANN .]{.mark}

[$issuer = Get-SPTrustedIdentityTokenIssuer]{.mark}

[$issuer.GroupClaimType = [Microsoft.IdentityModel.Claims.ClaimTypes]::Role]{.mark}

[$issuer.Update()]{.mark}

User Profil Service - Configure Synchronisation Connections - Create New Connection

$Computergenerierter Alternativtext: Add new synchronization connection this Page to configure a connection to a directory service server to synchronize users. • a required fæld Connection Name Type Connection Settings Fu19 ualified Dornain (e.g. For Active Directory connections to Work ff\'is account must have directory sync righ& Choose which containers you Want to be synchronized. Active Directory Irnport v Fully Qualified Domain Name (e.g. contoncom): bkk•mobiloil.de Authentication Provider Type: Trusted Claims Provider Authentication v Authentication Provider Instance: Account name: )biloildeIsvc-spqProfilsyncU Example: DOMAMuser_name Password: • Confirm password: Cl Use SSL-secured connection Cl Filter out disabled users Filter in LDAP Syntax for Active Directory Import. Popel ate Containers$ {width="4.114583333333333in" height="4.25in"}

Unter Containers noch die entsprechenden OU auswählen:

Erfasster Bildschirmausschnitt: 21.09.2018 11:11

{width="4.864583333333333in" height="2.3541666666666665in"}

Erfasster Bildschirmausschnitt: 21.09.2018 11:20

Unter die User Profile Service Application - "Manage User Properties"

die Property "Claim User Identifier" von "SAMAccountName" auf "mail" ändern.

{width="7.25in" height="0.59375in"}

Erfasster Bildschirmausschnitt: 21.09.2018 12:23

$Computergenerierter Alternativtext: Edit P rofile P roøertv SharePoint Central Administration Application Management System Settings Monitoring Backup and Restore Security Upgrade and Migration General Application Settings Apps Office 365 Configuration Wizards Site Contents Sites Edit User Profile Property this Page to edit this property for user profiles • a required fæld Property Settings Specify property Settings for this property. The name will be used prcgramrnati&ly for the propem by user profle serbce, while the display name is the label useci wien the is After the Property is Property Setting can is the dispby Sub-type of Profile Please Select the sub-type of user profiles With which you Want to asscciate this profle property. Usage This is the number of user Profi/es currentl•y containimg Values for this property. Changes to this might effect User Descripticn Specify a description for this proper-ty that pro•vide instructions o\' information to users This the Edit Details Page. Pdicy Settings S\*Cify the Privacy polig YOu Want applied to this Property. Select the Replicate Check box if pu Want the prcverty to display in the user info list for all Sites To replOte properties, the default Privacy must be set to Everyone and the User can override check box must not be EmadAdress Display Name: • Email Adress Edit Type: E-mail Default User Profile Subtype Number of profles using this property. Descriptiorr Edit Language Policy Setting: Required v Default Privacy Setting: Everyoneil Ü User can override Replicable$ {width="6.229166666666667in" height="6.46875in"}

Erfasster Bildschirmausschnitt: 26.09.2018 13:09

$Computergenerierter Alternativtext: Elft whether users can Change v.h_æs for in ther user profle. LJ\*rs With Manage Profile permission an edit any Property Value for any aser. Ihsøay Settings Specify whether or not the Property is dispaayed in the Profile properties section on the My Site Profile Page, whether property is displayed on the Edit Details Page, and whether changes to the propert/s Values are displayed in the User Profile Change Note: These display settings will obey the aser\'s Privacy seeings. Search Aliased are treated as equivalent to the user name arid åccount name when searching fot authored by a user. tat-geting Rems toa user, or disp-/aying items in the Documents Web Part of the personal Site for a wer. Alias properties must be public, Properties are by search ergine and part of the People search SCOpe Ony a if it will infænutiM1 for if Want the data displayed in pecple search results. Property for Synchronization Click rerncwe to de/ete cr an existing rnapping. Add New Specify the fied to map to this property when synchronizing user Profile dara When With a Business Data Connectivity source you can cMy import (not export) data from associated entity fields by selectimg the association. Mapping a multivalued field to a Single Value p.op•erty is allowed, will attempt to get only the first Value. be rnodif.ed Security Note: If you are using high privilege •ccount for Profile synchronization, be åble to read, import and export directory attributes thatare not normaliy viewable all Users, make Sure the appropriate defawlt Privacy Setting i5 selected. The selection of dir«tory Service may be if User Profile Appkaticn in an Wltrusted if rwt Multi Value iS \" (Mr. Ü Allow users to edit Values for this Ü Show in the Profile properties section of the user\'s Profile Page C) Show on the Edit Details Page C) Show updates to the property in newsfeed (only compatible With SharePoint 2010 newsfeeds) ÜAlias Indexed There are no tents to Show in this View. Source Data Connection: AD PS V Attribute Attribute Direction Import$ {width="5.78125in" height="4.020833333333333in"}

Erfasster Bildschirmausschnitt: 26.09.2018 13:09

SPQ_Profilsyncuser	8jqaDX8i6;xB	bkk-mobiloil\svc-spqProfilsyncU

https://social.technet.microsoft.com/Forums/en-US/74371f0d-d743-4a1c-90e8-8b09c8911132/addspprofilesyncconnection-profile-synchronization-problem?forum=SP2016

Informationen zum ADFS:

get-SPTrustedIdentitytokenissuer "ADFS"

Delete the Trusted Identity Provider per Powershell:

Remove-SPClaimProvider "ADFS"

Remove-SPTrustedIdentityTokenIssuer "ADFS"

Aus <https://blogs.technet.microsoft.com/adamsorenson/2018/06/22/remove-sptrustedidentityissuer-the-trusted-login-provider-is-in-use-and-cannot-be-deleted/>

LDAPCP Erweiterung in der Farm installieren (https://github.com/Yvand/LDAPCP/releases)

Add-SPSolution -LiteralPath "D:\SP\03_Tools\LDAPCP-master\LDAPCP.wsp"

Install-SPSolution -Identity "LDAPCP.wsp" -GACDeployment

Diese Befehle können nach ca. 10 Minuten durchgeführt werden, nachdem die Solution installiert wurde.

$ap = Get-SPTrustedIdentityTokenIssuer "adfs4"

$ap.ClaimProviderName = "LDAPCP"
$ap.Update()

$Computergenerierter Alternativtext: Administrator: SharePoint 2016 Management Shell PS C; Add-spsolution Solution Id Idapcp. vsp 6ff99767-bgsa-4143-8cd8-3978aaa1fb8Ø False PS Install-SPS01ution -Identity \"LDAPCP .wsp\" -GACDeploynent PS C: NUsersXcfg-spqAdmir» Sap Get-SPTrustedIdentityTokenIssuer \"ad+s\" PS C: XUsersXcfg•spqAdmir» \$ap . ClaimProviderNare - \"LDAPCP\" Set Ling . \"Claim provider With narre LDAPCP Coes not exist. 4 Sap.CIaimProwiderName - \"LDAPCP\" + Categorylnfo 4 Fullnuali+iedE-rrorId MDtSpecified: ( : ) t l, SetVa1ue1nwocationException ExceptionNhenSetting spqAdmir» PS -spqAdmir» PS C: NUsersXcfg-spqAdmir» LDAPCP PS C: NUsersXcfg-spqAdmin» PS C: \$ap. Update() Sap. claimprovidername Sap. claimprovidername \$ap. claimprwuidername Sap.Update() - \"LDAPCP\"$ {width="5.885416666666667in" height="3.2604166666666665in"}

Erfasster Bildschirmausschnitt: 26.09.2018 11:57

[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish

$publish.GacInstall("D:\SP\03_Tools\LDAPCP-master\ldapcp.dll")

Zu testen, ob dies den Fehler beseitigt.

https://nikpatel.net/2013/09/05/sharepoint-and-adfs-configuration-error-id4220-the-saml-assertion-is-either-not-signed-or-the-signatures-keyidentifier-cannot-be-resolved-to-a-securitytoken/

https://albandrodsmemory.wordpress.com/2015/06/19/sharepoint-2013-the-saml-assertion-is-either-not-signed-or-the-signature/

--- Löschen und erstellen

Umstellung der WebApplications zurück auf Windows NTLM

Remove-SPTrustedIdentityTokenIssuer "ADFS"

Neu erstellen per PS:

$adfscertPath = "d:\ADFS-Signing-fs-bkk-mobil-oil-de.cer"

$realm = "urn:sharepoint:portal-spq"

$signInURL = "https://fs.bkk-mobil-oil.de/adfs/ls"

$adfscert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($adfsCertPath)

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS" -realm $realm -ImportTrustCertificate $adfscert -ClaimsMappings $emailClaimMap,$roleClaimMap -SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType

LDAPCP erneuern:

$ap = Get-SPTrustedIdentityTokenIssuer "adfs"

$ap.ClaimProviderName = "LDAPCP"
$ap.Update()

LDAPCP angepasst :

$Computergenerierter Alternativtext: Augmentation Enable augmentation to let LDAPCP get group membership of federated users. lI not enabled, permissions granted on federated groups may not Work. Enable augmentation Select what Claim LDAPCP will use to create claims With the httpl/schernas.mlcrosoft.corn\'ws/2008/06fidentity/cIaims/role membership of users: For Active Directory servers. the preferred Way to get groups is using IJserPrincipaI.GetAuthorizationGroupsO. Otherwise LDAPCP reads LDAP attribute memberof/uniquememberof of the user. LDAP Server \"Connect to SharePoint domain•: Query this server This is an Active Directory server, use UserPrincipaI.GetAuthorizationGroups$ {width="15.1875in" height="2.3229166666666665in"}