question

DS-6360 avatar image
1 Vote"
DS-6360 asked ·

Private Personal Identifier with 2 nodes ADFS : how generate same PPID from both servers ?

I try to generate a PPID claim on ADFS windows 2019 with the rule (from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-a-custom-claim-rule) :
c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "_OpaqueIdStore", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = "{0};{1};{2}", param = "ppid", param = c.Value, param = c.OriginalIssuer);

But my setup is a two nodes ADFS Farm (with SQL cluster as a back end) behind a load balancer

My problem is that each node generate a different PPID for the same user.

To my understing adfs should generate the same PPID from both servers?

Is it possible (and how) with _OpaqueIdStore to generate same PPID from different servers of the same ADFS farm ?

Thank you in advance.

adfs
· 12
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you sure they are both members of the same farm?

What do you get when you run this on both nodes:
Get-ADFSFarmInformation

0 Votes 0 ·

thank you Pierre
from both nodes, Get-ADFSFarmInformation gives :
CurrentFarmBehavior : 4
FarmNodes : {I-IDD-A0.contoso.com, I-IDD-B0.contoso.com}
FarmRoles : {UserState}

Servers are both Server 2019 build 17763.1098 now.
Each node continue to give a different value for same user.

0 Votes 0 ·

I cannot repro in my lab. DO you mind copy/pasting the exact rules you are using for this relying party?

0 Votes 0 ·
Show more comments
piaudonn avatar image
0 Votes"
piaudonn answered ·

It reminds me of this: https://social.technet.microsoft.com/Forums/en-US/bf84042b-28c1-4c9e-b859-5d2945c6b9fb/adfs-converts-upper-case-upn-to-small?forum=ADFS

Base on the observation at the time, it seemed that the UPN coming from the acceptance rules was always in lower case. So maybe replace the windowsaccountname by the UPN from the acceptance rules (what I mean by from the acceptance rules is that you don't extract the UPN from an LDAP query but just create a pass-through rule at the relying party trust level).

Else, worst case you can still create convert the windowsaccountname in lowercase (or upper case). You can do that with a custom attribute store: https://docs.microsoft.com/en-us/previous-versions/adfs-2.0/hh599320(v=msdn.10)?redirectedfrom=MSDN or use the fancy regexp from here: https://social.technet.microsoft.com/Forums/en-US/109a226d-b9c5-47b4-98ab-2d9e6446b1e4/adfs-claim-to-convert-user-id-to-uppercase?forum=ADFS.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Pierre,
Case sensitivity is a pain sometimes...
Thank you for the links.
Have a good day


0 Votes 0 ·
DS-6360 avatar image
0 Votes"
DS-6360 answered ·

Hello, sorry for the delay to follow up but I was a bit busy.... you were on the right track ! Simplified the rules and tested against Claims X-Ray....


And it shows that the problem is NOT in store _OpaqueIdStore, whose arguments are case-sensitive (sound logical) but, as strangely seems, that the CASE of http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname is not consistent beetween node A and node B of my farm


on node A Windows Account name is like CONTOSO\ds123456


on node B Windows Account Name is like CONTOSO\DS123456 (for the very same user, same AD ....) : different case


very strange behaviour...


my simplifed rule


 c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
  => issue(store = "_OpaqueIdStore", types = ("http://i-idd.silab.cea.fr/internal/ppidwan"), query = "{0};{1};{2}", param = "ppid", param = c1.Value, param = c1.OriginalIssuer);

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.