[LDAPCPSE] After adding a LDAPS connection as second option, going to global config page will error out

[desmondkung]

Hi Yvand, after adding a LDAPS connection as a second option and saving it, going back to the global config page will error out with "Exception of type 'SystemArgumentException' was thrown. Parameter name: claimType.

I need help to see the current claimTypes via PowerShell and to edit them if necessary. Based on old docs, I can add type using 'Assembly Name="Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740" '

What about the second line? How do I adapt the following to fit LDAPCPSE? $config = [ldapcp.LDAPCPConfig]::GetConfiguration("LDAPCPConfig")

[Yvand]

@desmondkung this is clearly unexpected. You can add an LDAPS entry using this PowerShell script:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration()
$settings = $config.Settings

# Add a new lDAP Connection
$ldapConnection = New-Object "Yvand.LdapClaimsProvider.Configuration.LdapConnection"
$ldapConnection.LdapPath = "LDAP://contoso.local:636/DC=contoso,DC=local"
$ldapConnection.Username = "<account>"
$ldapConnection.Password = "<password>"
$ldapConnection.EnableAugmentation = $true
$settings.LdapConnections.Add($ldapConnection)
$config.ApplySettings($settings, $true)

To understand your scenario, can you send the output of this:

$trust = Get-SPTrustedIdentityTokenIssuer "YOUR_SPTRUST_NAME"
$trust.ClaimTypeInformation | fl MappedClaimType, IsIdentityClaim

[desmondkung]

Hi @Yvand,

MappedClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn IsIdentityClaim: True

[desmondkung]

Is there a way to reset all LDAPCPSE settings back to default via PowerShell so that I can try again? Including the removal of the recently added LDAPS connection.

[desmondkung]

current ldap settings

Identifier                           : fe5fe0de-8c6a-48f6-8fff-d28e704771b6
LdapPath                             : Connect to SharePoint domain
Username                             : 
Password                             : 
AdditionalMetadata                   : 
AuthenticationType                   : Secure, Signing, Sealing
UseDefaultADConnection               : True
EnableAugmentation                   : False
GetGroupMembershipUsingDotNetHelpers : False
GroupMembershipLdapAttributes        : {memberOf, uniquememberof}
LdapEntry                            : System.DirectoryServices.DirectoryEntry
LdapEntryServerAndPort               : LDAP://<removed>
InitializationSuccessful             : False
DomainName                           : 
DomainFQDN                           : 
DomaindistinguishedName              : 
UpgradedPersistedProperties          : {}

Identifier                           : 9b9ec788-ad57-44e8-841d-5dabc8107cac
LdapPath                             : LDAP://<removed>
Username                             : <domain\username removed>
Password                             : <removed>
AdditionalMetadata                   : 
AuthenticationType                   : Secure, Signing, Sealing
UseDefaultADConnection               : False
EnableAugmentation                   : False
GetGroupMembershipUsingDotNetHelpers : False
GroupMembershipLdapAttributes        : {memberOf, uniquememberof}
LdapEntry                            : System.DirectoryServices.DirectoryEntry
LdapEntryServerAndPort               : LDAP://<removed>
InitializationSuccessful             : False
DomainName                           : 
DomainFQDN                           : 
DomaindistinguishedName              : 
UpgradedPersistedProperties          : {}

[Yvand]

Is there a way to reset all LDAPCPSE settings back to default via PowerShell so that I can try again? Including the removal of the recently added LDAPS connection.

You can run those commands to delete and recreate the configuration:

[Yvand.LdapClaimsProvider.LDAPCPSE]::DeleteConfiguration()
[Yvand.LdapClaimsProvider.LDAPCPSE]::CreateConfiguration()

[desmondkung]

1. I've deleted and re-created the configuration via PowerShell by running those two commands.
2. In central admin, I deleted the default LDAP connection to SharePoint domain and added only the LDAP server I want to connect to.
3. Clicked on the "Test LDAP Connection" and it passed.
4. Clicked on "Add LDAP Connection", then click on "OK" at the top.
5. Back at the Security page, click on "Global configuration" and error appears.

[desmondkung]

Another way to reproduce.

1. Delete and re-create the configuration via PowerShell.
2. In central admin, go to security, click on global configuration.
3. Click on "OK" button at the top.
4. Back at the Security page, click on "Global configuration" and error appears.

[Yvand]

Can you check the SharePoint log on the server running CA, filter on Produt/Area LDAPCP, and verify if errors/messages are recorded?

[desmondkung]

There's only 1 line if I filter ULS logs via Product.

"Successfully updated configuration 'LDAPCPSEConfig' with Id <guid>"

[Yvand]

@desmondkung the log is not giving more information. I would really like to understand the root cause: Are you able to repro the issue, whatever you type in the new LDAP connection? Can you repro if you remove the default LDAP connection?

[desmondkung]

@desmondkung the log is not giving more information. I would really like to understand the root cause: Are you able to repro the issue, whatever you type in the new LDAP connection? Can you repro if you remove the default LDAP connection?

I can try tomorrow morning. To make sure I understand correctly, are you asking if I remove the default LDAP connection, leaving it with no LDAP connection, will the issue occur?

BTW, the log you referring to, does it include the ULS log I sent to your mail?

[Yvand]

Yes, basically I'm curious if you can reproduce the issue even with typing dummy data, e.g. LDAP://whatever. Or, if it requires a specific test. And also, if depends whever the default connection is present or not. I'm sure it is a bug, but right now I cannot repro it. I hope I will be able to repro with your help

Yes, I reviewed the log you sent, and it contains nothing helpful

[desmondkung]

Sent you 3 problem step recorder files for the following scenarios. All of them have identical error.

1. With default LDAP
2. With no LDAP
3. With default LDAP and random LDAP

[Yvand]

@desmondkung the error happens because there is no group claim type set in the trust in your environment. I opened PR https://github.com/Yvand/LDAPCP/pull/207 to handle this correctly.

In the meantime, you can fix the issue in the current version by removing the group claim type from the LDAPCPSE configuration, using the script below:

Add-Type -AssemblyName "Yvand.LDAPCPSE, Version=1.0.0.0, Culture=neutral, PublicKeyToken=80be731bc1a1a740"
$config = [Yvand.LdapClaimsProvider.LDAPCPSE]::GetConfiguration()
$settings = $config.Settings
$settings.ClaimTypes.Remove($settings.ClaimTypes.GroupIdentifierConfig)
$config.ApplySettings($settings, $true)

[desmondkung]

Alright! I'll test this out tomorrow morning =)

[desmondkung]

Error: Value cannot be null. Parameter name: type.

[Yvand]

weird that I did not repro it, but it should be fixed in https://github.com/Yvand/LDAPCP/commit/b4c5d9703f94fb279dd608f1c34a03365ba4c24f

[desmondkung]

I think the only way left to tell would be to deploy the new release once your pull request is done.

[Yvand]

I just published a nightly build which contains this fix

[desmondkung]

Just tested. No more error messages =) Will the release build be created soon? Else, I might just use this nightly first. Thank you so much!

[Yvand]

Thanks for confirming!