Sharepoint 2013 ADFS 2.0 Domain

Hi experts,

I'm not that familiar with ADFS complex configuration. Hope someone can point me in the right direction.

So we have DOMAIN and DOMAINDEV domains.

I have configured ADFS for my SP2013. ADFS and SP sit in DOMAINDEV and I can login using my DOMAINDEV account.

when trying to login using my DOMAIN account, the ADFS throws error:  

--- the error in the event viewer: The Federation Service encountered an error while connecting to a global catalog server at domain.com.au.    Additional Data  Domain Name: domain.com.au  Global Catalog hostname (if available):   Error from server (if available):   Exception Details:     The LDAP server is unavailable.    User Action  Troubleshoot the network connectivity to the global catalog server. Also, verify that the global catalog server is configured properly.   followed by The Federation Service encountered an error while processing the WS-Trust request.  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue    Additional Data  Exception details:  Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query ';sAMAccountName,tokenGroups,userPrincipalName,mail;{0}' to attribute store 'Active Directory' failed: 'Exception of type 'Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException' was thrown.'. --->    ---

any idea how I can allow login through my DOMAIN account as well?

I have confirmed the ADFS can connect to the DC DOMAIN 389 (telnet)

Thanks,

Andreas


  • Edited by crsnt Thursday, October 31, 2013 7:22 AM
October 31st, 2013 10:16am

Hi Andreas,
According to your description, the error occurred when you entered into SharePoint with Domain account.

    1. Based on the error message, I recommend to check whether the rules to pass through all of the claims for each claim you want to send to SharePoint and a Pass Through claim rule for the SharePoint relying party for each Pass Through claim rule have been created.

    2. As the error indicates that GC can't be contacted, please also run DCDIAG and get the verbose diagnoses log which exams the connectivity and functionality of DC and GC in the domain. It will help to isolate the issue to either SharePoint side or AD side.

Here is a link about configure SharePoint 2013 and ADFS with Multiple Domains for you to take a look:
http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=109

Best regards.
Thanks

Free Windows Admin Tool Kit Click here and download it now
November 1st, 2013 2:17am

Hi Victoria,

thanks for the reply.

We just fixed the issue. turns out port 3268 is not opened yet, thus ADFS can't connect to the GC

port 389 is not enough.

Thanks,

Andreas

  • Marked as answer by crsnt 4 hours 28 minutes ago
November 1st, 2013 2:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics