Hello All, 

I've recently configured claims authentication on SharePoint. The infrastructure is as below: 

1. Domain Controller for ABC.com 

2. AD FS Server ABC.com 

3. Domain Controller XYZ.com

4. SharePoint Server on XYZ.com 

5. A Client which is a member of ABC.com 

With this setup, I'm able to login using the username and password of ABC.com users. However, for better administrative needs, I created a Security Group in Active Directory Users and Computers called as spusers@abc.com and add some users. After creating the group, I successfully added the group to SharePoint as well. When I try to access the SharePoint site with the credentials of the users who are part of the security group, it gives me a message saying "Sorry, this site is not shared with you". Are my settings correct? Are there any additional steps needs to be taken in to make the Security Group work? Your help is highly appreciated. 

Regards,

Srikanth Nagendranath



Hi Srikanth,

Can you provide a little more info on what claims you pass through to SharePoint in your AD FS server for ABC.com. Specifically, can you send a screenshot, or share info on the Edit Claim rules for the Relying party trust?

I suspect you are not passing the Role (or incorrectly) which should be mapped to windows security group.

If you need more information, please let me know.

Hi Nico, 

Thank you for the reply. Above is the screenshot of the claim rules? Your help is highly appreciated. 

Regards,

Srikanth N

Okay, it seems you have set up "Role" as outgoing claim type, which contains the AD Group.

In your setup, I assume you have created a mapping, which includes this claimtype?

Something similar to this?

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

Hello Nico, 

You're right, I've added a mapping called Role: 

Hi Srikanth,

For this issue, I recommend to verify the things below:

1. Make sure that the token signing certificate from ADFS has been exported and added to SharePoint trusted root authorities.
2. Make sure that the authentication method has been selected for the corresponding web application.

Please check if there are any steps missing when configuring ADFS for SharePoint by following the steps in the links below:

https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/

http://social.technet.microsoft.com/wiki/contents/articles/10452.sharepoint-2010-how-to-install-and-configure-adfs-2-0-on-windows-server-2008-r2-for-sharepoint-2010.aspx

Thanks,

Victoria

Hi Srikanth,

How is everything going?

Is there anything update about this issue?

If you have any questions, please feel free to let us know.

Thanks,

Victoria

Hello Victoria, 

Sorry for the delayed reply. So far no luck. I've tried umpteen number of times but for some reason, it does not get resolved. I think I should open a support ticket directly with the SharePoint team. Once I open and resolve the issue, I'll get back to this thread and update everyone on the solution. 

Regards,

Srikanth Nagendranath 

Hello All,

Just to update everyone, I resolved the issue. Found out that the identifier claims was not right and therefore the security group was not working. I set the identifier claim to email address, and everything started to work. Thanks a ton for your help.

Regards,

Srikanth

• Marked as answer by Srikanth N 59 minutes ago