This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I am currently running ADFS 4.0 in a 2012 R2 Domain. My colleague is upgrading the domain to 2019 so we have a mix of 2012 R2 and 2019 servers, but the functional level is still 2012 R2. Recently ( I don't know exactly when) my ADFS server stopped providing the tokenGroups claim for some users. It DOES work for others. I have no idea what's functionally different between those that are OK and those that are not. ADFS is using a GMSA and it's been fine for a over a year.
My query is:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("memberOf"), query = ";tokenGroups;{0}", param = c.Value);
This works fine for some users and not at all for others. I've use Firefox SAML tracer and verified that the tokenGroups claim is never put into the SAML response, for those that are not working.
Any help would be greatly appreciated.
--tim
Thank you for your comments piaudonn. Your mention of the security descriptor has lead me down the right path. I can get it to work but with too much permission. I need to narrow it down now.
Good! Read All Properties permission on the object + Read Group Membership should be enough. Normally this is granted through Pre-Windows 2000 Compatible Access on the object (and by having the Authenticated Users group member of Pre-Windows 2000 Compatible Access which should be the case by default).
Is it consistent for these users?
Does this persist after a restart of the ADFS service?
The only way I can repro is by playing with the permissions of the service account on the user. Can you compare the security descriptor (i.e. the security tab) of a working user versus a non-working user?