Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 829
  • Last Modified:

MOSS 2007 fails to get user group "Role#Domain Admins" from claims provider in AD Federation services Lab

We are using Microsoft Lab guide to build a test of AD Federation Services towards Sharepoint 2007.
We are using the Lab Guide "adfs2-sharepoint-federated-collaboration-step-by-step-guide" and have come to Step 2: "Add the Domain Admins group as Adminstrator for the Sharepoint Site.

At this point one is supposed to enter "Role#Domain Admins" in the Extranet Zone security settings. This fails and and the message is "No exact match was found"
If you try to open the directory there is nothing there.

 Add users screenshot from Moss 2007 extranet Zone
As I understand it the Extranet Zone at this point is set to access ADFS and not AD. Adding Domain Admins to the standard port 80 web application works fine so the problem seems to be when Sharepoint tries to Access ADFS.

There are no event logs which show anything untoward, either on the ADFS/AD  server or the SP server. I am now going to do some tracing of this. Any suggestions as to where to start looking would be helpful
  • 2
1 Solution
Justin SmithSr. System EngineerCommented:
Not too familiar with the lab, but in order to choose accounts from a federated Domain, your Central Admin URL must have access to it as well as the web app that will actually be using it.  This is often forgotten.

Did the lab have you editing web.config files?  Did you do it for the web app and the Central Admin web app?
hakonsvAuthor Commented:
There was no editing of web.config directly. This was all done with a utility that came with the "Microsoft Federation Extensions for Sharepoint 3.0" (download)

Running the "Federation Utility for Sharepoint 3.0" you first point it to  "Administrator configuration file location".

At this point the lab is really unclear about which config should be chosen. On the next windows you get to choose the actual app config that you are supposed to modify for federating.

From what you have indicated I probably should have chosen the Central Admin config for the first file (which I didn't).

I will be testing this asap and get back to you as soon as I have completed this bit.
hakonsvAuthor Commented:
Rerunning the federation utility and selecting the Central admin we.config file in the first dialog box did the trick - Excellent!

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now