When you throw claims authentication in the mix of AD users and SharePoint user profiles there is some things you should be aware of:
- Use your Identity Provider to make the user profile sync connection to the domain
- There’s no built in mapping between the user profile identifier and claim (or forms) users identity provider; missing this will give you more than one user profile per user!
Setting up the sync connection with Identity Provider
Set up with claims user and Identity Provider can be setup in the Central Admin or through this PowerShell cmdlet
Add-SPProfileSyncConnection
But beware, it is only intended for SharePoint Online environments, now you are warned!
I found it working on “on premise” fine, but there is no warranties!
Specific for the Claims scenario I will just point out the following parameters.
All the parameters are explained on this TechNet article:
http://technet.microsoft.com/en-us/library/jj219677.aspx
|
Parameter |
Required |
Type |
Description |
|
ConnectionClaimProviderIdValue |
Optional |
System.String |
Specifies the Claims Provider ID or Name for an authentication type while a Web App is configured. |
|
ConnectionClaimProviderTypeValue |
Optional |
System.String |
Specifies the Authentication claim Provider that will be used to encode the User Profile accounts names. For example, Windows/Forms etc. This means if a user logs in using the given Authentication Type, then a profile can be found by looking up a claim encoded credentials. |
The PowerShell could look something like this:
#provision connection with Claim Provider Add-SPProfileSyncConnection
-ProfileServiceApplication 888ds256-9ad9-53a9-f135-99eecd245670b `
-ConnectionClaimProviderIdValue "ClaimProviderName" `
-ConnectionClaimProviderTypeValue "Trusted" `
-ConnectionForestName "fabrikam.com"-ConnectionDomain "Fabrikam" `
-ConnectionUserName "Testupa" `
-ConnectionPassword convertto-securestring "Password1" `
-ConnectionSynchronizationOU "OU=SharePoint Users,DC=fabrikam,DC=com"
Limitations:
- Only in SharePoint 2010 Service Pack 1 !
- The account running the PowerShell window must be added as an administrator for the UPA.
- Remove-SPProfileSyncConnection does not delete sync connections!
- … see below
Others explaining the use of this cmdlet
- Managing Sync Connections with *-SPProfileSyncConnection cmdlets in Service Pack 1
- New Add-SPProfileSyncConnection cmdlet seems to ignore NetBIOSDomainNamesEnabled property?
Mapping between AD user and Claim user
When setting up a SharePoint 2010 application with claims authentication, there’s no built in mapping between the AD user profile’s and claim (or forms) user. (see my former post User profile property mappings in SharePoint and Active Directory and the TechNet article http://technet.microsoft.com/en-us/library/gg750254.aspx#section2
In claims-based Web applications, SharePoint Server uses the Claim User Identifier property (SPS-ClaimID) to match an authenticated user to the correct user profile. If the SPS-ClaimID is not mapped to the directory service attribute that you want to use as the user identifier, when a user is authenticated, he or she is not matched to the correct user profile and will not see the imported user profile data.
Worst case this will give you more than one user profile per user.
The mapping between the claim user and the AD user is done by setting the SPS-ClaimID (Claim User Identifier) to sAMAccountName (UserName)through the User Profile Service Application.
This property mapping must be manually inserted if using Forms or Trusted Identity providers.
Or you can use PowerShell to set this mapping. The AddNewMapping cmdlet can do just that.
$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsPropertyName, $userPropertyName)
Remember to do a full sync after setting this property mapping!
Ressources
This CodePlex project contains a PowerShell script to help you automate the creation of SharePoint 2010 User Profile Synchronization connections, User Profile Properties and User Profile Property mappings.
Create/Manage SPS2010 User Profile Properties or Sync Connection from Powershell
Other use full links:
-
TechNet: User Profile Service troubleshooting
-
Harber.Net: http://www.harbar.net/