I ran into this issue really recently working at a client with a new, pretty basic ADFS environment that was acting as the identity provider, through an ADFS proxy server relay. I couldn’t wrap my head around why it wasn’t working, the groups themselves were resolving correctly, and even showing up in the identity data sources in the people picker. However, members of the AD securitygroup, (NOT the SharePoint group) were still being denied access to the SharePoint site.
To fix this issue follow these steps:
- Open the federation server box.
- Open the ADFS management console.
- Edit the claim rules for the relaying party trust
- Select the tab Issuance Transform Rules
- Edit the Send LDAP Attributes as Claims
- This should have:
- Claim Rule Name : Pass-through LDAP Claims
- Attribute Store : Active Directory
- Set: Token Groups unqualified names (Don’t Use: Token Groups – Qualified by domain name) | Outgoing ClaimType: Role
- Set: User-Principal-Name | Outgoing Claim Type : UPN
- Open the SharePoint management shell, run the following PowerShell script to create the issuer. If you have an issuer already made, remove it or execute the coordinating update commands. Make sure you replace the $certPath, $realm, and any of the string literals within $ap.
$certPath = your certification path
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“$certPath”)
$map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
$map2 = New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname” -IncomingClaimTypeDisplayName “Login” â€“SameAsIncoming
$map3 = New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” â€“SameAsIncoming
$map4 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “Account ID” â€“SameAsIncoming
$realm = “urn:” + $env:ComputerName + “:adfs”
$signinurl = “https://yoursigninurl”
$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description ADFS 2.0 -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2, $map3, $map4 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
If you are curious about the way to update, rather than create a new issuer, you can use the following. In the above, you may or may not need all those assertion mappings depending on how your trusted relay issuance rule setup:
$issuer = Get-SPTrustedIdentityTokenIssuer
$map=New-SPClaimTypeMapping “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” â€“SameAsIncoming
Now you HAVE to apply KB hotfix 2536591 located here: http://support.microsoft.com/kb/2536591/en-us
Boom! Groups will work.
There are several design considerations when using SharePoint 2010 folders when designing the information architecture. Importantly and obviously, plan for the number of items that will be organized in each folder. Those items can be moved either manually or it can be automated. INcorporated features include the metadata navigation so that the amounts of items in folders don’t have such strict limits. Use metadata navigation and folder navigation so that the folders are able to be used for policies and retention. This is in addition to the folders being used for organization. Organization of content in folders so that they can be easily navigated as well as combined with other available options for the simplification of navigation. The content organizer will automatically move the documents into folders base on the metadata. They can also be enabled with the option for creating various sub folders after the limit in a given folder has been reached. Organize items into folder so that only the list view threshold at the root of the folder is there when you use the Open with Explorer. In order to retrieve content in list views there is metadata navigation and indexing that you can use in addition to the folders.
Organizing the content into folders needs to be done carefully. There are three main methods used for achieving this:
Organize logically This can be based on month, year, or other types of data like responsible division. Or other stuff. Whatever’s clever.
Metadata this allows for documents to be routed to the correct folder. This allows for the ability to limit the amount of items in a single folder. Then sub folders are also used when more space needs to be added.
Topic or category Many users like the idea of being able to find things by topic or category. They are used to such navigation so it seems natural. This is sorta like the first point.
Various improvements for SharePoint Server 2010 allow you to have a flexible use of the folders. You will be less dependent on various performance considerations as well. When you have managed metadata and navigation you can easily filter the data through the folders. This makes it possible for you to organize your information for administrative control. This includes your permissions and policies. You won’t be relying only on the end user navigation.
When the content organizer feature is automatically moved into the folders by content, the metadata users don’t need to decide where to place the content. The content organizer also allows for the creation of new folders after a limit of one has been reached. When you use “Open with Explorer” you have to remember that it doesn’t work with large lists of items if they aren’t organized in folders with fewer items than the list view threshold.
When it comes to folder based view and metadata based views, keep in mind that they are very similar when it comes to how they perform. With a logical user experience then it is sensible to rely on folders to divide your content. With metadata navigation though there are queries that allow for all of the items to be returned outside of the folders.
* Folders do have better performance at smaller sizes of lists.*
There are rules and principles that have to be defined regarding the way in which the services and data are going to be treated in the environment of net centrics. It is important to understand that they apply to the various Department of Defense investments for all of the portfolios and components within the DIEA 1.0.
There are various forms of data and services that the applications need to be able to access. All of the users with authorization within the Department of Defense need to be able to access them. There may be limited policies and laws in place though that require special classification in order to get to certain functions and levels of operation.
The data sources that are authorized won’t make any single source one that has more authority than others. All of the data that a producer has must be capable of providing the assets and solutions that are necessary for the enterprise to be searchable and secure.
Data is offered according to what the enterprise standard happens to be for the metadata. The mission of the business and its functions allow for the enterprise to be network based with an interface that is well defined. The services need to be advertised by registering them with an enterprise service registry.
The development of semantic vocabulary is important. This allows for the elements to be used again from the universal core information exchange. The vocabulary needs to be registered with the enterprise so that it can be deemed for visibility and for easy understanding to occur. When it comes to the existing data services, there is an end user that can be responsible for the use of these assets. Then they don’t have to be created each time.
Next >> Department Of Defense SharePoint Architecture Guide (DSAG) Part 7 Secured Availability