MOSS 2007 fails to get user group "Role#Domain Admins" from claims provider in AD Federation services Lab

Posted on 2011-05-12
Last Modified: 2012-05-11
We are using Microsoft Lab guide to build a test of AD Federation Services towards Sharepoint 2007.
We are using the Lab Guide "adfs2-sharepoint-federated-collaboration-step-by-step-guide" and have come to Step 2: "Add the Domain Admins group as Adminstrator for the Sharepoint Site.

At this point one is supposed to enter "Role#Domain Admins" in the Extranet Zone security settings. This fails and and the message is "No exact match was found"
If you try to open the directory there is nothing there.

 Add users screenshot from Moss 2007 extranet Zone
As I understand it the Extranet Zone at this point is set to access ADFS and not AD. Adding Domain Admins to the standard port 80 web application works fine so the problem seems to be when Sharepoint tries to Access ADFS.

There are no event logs which show anything untoward, either on the ADFS/AD  server or the SP server. I am now going to do some tracing of this. Any suggestions as to where to start looking would be helpful
Question by:hakonsv
    LVL 38

    Accepted Solution

    Not too familiar with the lab, but in order to choose accounts from a federated Domain, your Central Admin URL must have access to it as well as the web app that will actually be using it.  This is often forgotten.

    Did the lab have you editing web.config files?  Did you do it for the web app and the Central Admin web app?

    Author Comment

    There was no editing of web.config directly. This was all done with a utility that came with the "Microsoft Federation Extensions for Sharepoint 3.0" (download)

    Running the "Federation Utility for Sharepoint 3.0" you first point it to  "Administrator configuration file location".

    At this point the lab is really unclear about which config should be chosen. On the next windows you get to choose the actual app config that you are supposed to modify for federating.

    From what you have indicated I probably should have chosen the Central Admin config for the first file (which I didn't).

    I will be testing this asap and get back to you as soon as I have completed this bit.

    Author Closing Comment

    Rerunning the federation utility and selecting the Central admin we.config file in the first dialog box did the trick - Excellent!

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now