Wednesday, February 04, 2015

ADFS : What happened to my roles?

Setting up a RP trust with the standard LDAP rule which maps "Token Groups - Unqualified Names" to Roles.

But when I enumerated the claims after RP authentication, some were missing?

WTF? when I do an AD memberOf, it displays them all?

Much  head-scratching and investigation and then I remembered that for this ADFS claims rule only non-local domain security groups are returned.

You can confirm this in ADUC by clicking on the Properties / General tab and looking at the group scope and type.

But what if you are not Domain Admin?

Allow me to recommend AD Explorer.

Tip - just click OK on the first page (don't enter credentials) and it will "find" the default DC.

Then navigate to the security group.

Under the attributes, look for groupType.

It will be something like -2147483646.

As per AD Attributes, this is a Global group.

But my missing Security group displayed  -2147483644 which is Domain Local.

Enjoy!
 

  

No comments: