Issue with SQL SERVER

[Bastien-RB]

Hello,

I have a new problem (promise its the last)
When I configure the SQL connexion to use many directory I have this error

With the Principal AD or a LDAP account :

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:

Exception details:
Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.
at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest.ParseEncodedRequestParts(String[] encodedRequestParts)
at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest..ctor(String encodedGenericRequest)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetOriginalRequestFromResponse(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

[redhook62]

Hello,

I don't really understand your log.
But are you using the new feature of ADFS 2016 used to declare a new local provider (an LDAP 3.0 repository) ?
If Yes, have you configured it ?

Sample PowerShell Code to create a new local provider (LDAP 3.0 Repo)

If used these kind of script to add my Synolgy NAS as Local Provider

Get-AdfsLocalClaimsProviderTrust
Remove-AdfsLocalClaimsProviderTrust -TargetName Synology

$idStoreAccountUserName = "uid=root,cn=users,dc=contoso,dc=com"
$idStoreAccountPassword = "yourpassword" | ConvertTo-SecureString -asPlainText -Force
$DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $idStoreAccountUserName, $idStoreAccountPassword

If Using SSL

$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 636 -SslMode SSL -AuthenticationMethod Basic -Credential $DirectoryCred

If not using SSL

$Directory = New-AdfsLdapServerConnection -HostName "ldap.contoso.com" -Port 389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred

Attributes mapping

$GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/commonname"
$Email = New-AdfsLdapAttributeToClaimMapping -LdapAttribute email -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

$WindowsAccount = New-AdfsLdapAttributeToClaimMapping -LdapAttribute uid -ClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"

Local Claims Provider Creation

Add-AdfsLocalClaimsProviderTrust -Name "Synology" -Identifier urn:synology:contoso:com -Type Ldap -LdapServerConnection @($Directory) -UserObjectClass inetOrgPerson -UserContainer "cn=users,dc=contoso,dc=com" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($GivenName, $Surname, $CommonName, $Email, $WindowsAccount) -AcceptanceTransformRules "c:[] => issue(claim = c);" -Enabled $true -OrganizationalAccountSuffix @("contoso.com)

Attribute Store

Add-ADFSAttributeStore -Name Synology -TypeQualifiedName "Neos.IdentityServer.AttributeStore.LDAP, Neos.IdentityServer.Ldap.AttributeStore, Version=1.1.0.0, Culture=neutral, PublicKeyToken=175aa5ee756d2aa2" -Configuration @{"servername" = "ldap.contoso.com" ; "port" = "389" ; "username" = "uid=root,cn=users,dc=contoso,dc=com" ; "password" = "password" ; "secured" = "false" ; "root" = "dc=contoso,dc=com"}

ADFS Sample Claims

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = "(uid={0});mail,mail", param = c.Value );

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Synology", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "(memberUid={0});cn", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(claim = c);

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" => issue(claim = c);

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "urn:synology:contoso:com"] => issue(store = "Synology", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";uid,,mail;{0}", param = c.Value);

Attribute Store Extension Sample

Neos.IdentityServer.Ldap.AttributeStore.zip

[Bastien-RB]

Hello
My LDAP working without MFA, AD working with MFA in AD MODE
In SQL MODE AD and LDAP dont work

I configured MY ldap like you exept I didnt do this step Attribute Store.

I didnt see this step on this doc
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

My ldap Config

_
$ldapuser = "uid=admin,ou=system"
$ldappassword = ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force
$DirectoryCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ldapuser,$ldappassword

$EXTDirectory = New-AdfsLdapServerConnection -HostName LDAPSERVER -Port 10389 -SslMode None -AuthenticationMethod Basic -Credential $DirectoryCred

$DisplayName = New-AdfsLdapAttributeToClaimMapping –LdapAttribute displayName –ClaimType "http://temp.org/identity/claims/displayName"
$CommonName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute cn -ClaimType "http://schemas.xmlsoap.org/claims/CommonName"
$email=New-AdfsLdapAttributeToClaimMapping -LdapAttribute mail -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"
$Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory
-UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic
-AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
-AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)
_

[redhook62]

Hello,

Yes Attribute Store is an old feature for ADFS and it's optional (only if you want more attributes for claims).

We have just, tested with SQL-Server, we have no problems. it works as well !
As you describe in first, it seems not related to MFA, but are you sure that your LDAP configuration is working ?
Does you configuration run as well, with LDAP Provider removed ?
Get-AdfsLocalClaimsProviderTrust
Remove-AdfsLocalClaimsProviderTrust -TargetName EXTERNAL

I don't see, in your script declaration for UPN
AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
MFA require this claim (see : Neos.IdentityServer.Multifactor.AdapterMetadata.cs)

Your are mapping email attribute to WindowsAccountName Claim. this is wrong !
You must map email attribute to UPN as AnchorClaimType.

Remember, the UPN is always the identity claims in federation context

Lest us Know, if this can resolve your problem

Regards

[Bastien-RB]

Hello,

I have change the ANchorClaimType :
Add-AdfsLocalClaimsProviderTrust -Name "EXTERNAL" -Identifier "urn:EXTERNAL" -type ldap -ldapserverconnection $EXTDirectory
-UserObjectClass inetOrgPerson -UserContainer "ou=People,o=external" -LdapAuthenticationMethod basic
-AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
-AcceptanceTransformRules "c:[] => issue(claim=c);" -Enabled $true -LdapAttributeToClaimMapping @($email, $DisplayName, $CommonName, $Surname)

It's OK for AD , but I have an another error with LDAP (LDAP its OK without MFA)
Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
https://monapp.mestests.org/sampapp/

Exception details:
System.IO.InvalidDataException: The identity information provided does not contain a Windows account name.
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

[Bastien-RB]

It's ok,
I add uid dans mon LDAP mapped sur windowsaccount its ok now, thx for your help
Do you sell support on this solution ?

[redhook62]

Hi, this project is open source, and we are going to push regulary new versions.
But, if you really want to have a support, contact neos-sdi (in french).

Regards