This is for birds-eye perspective. I found it difficult to find resources that outlined the procedure. This omits everything that happens on the ADFS-server and focuses on sharepoint-parts.
1. Backup all contentdatabases, take snapshots of servers
2. Add relying party identifiers on ADFS-server. Add endpoints with ws_federation for all web applications that are going to use ADFS.
3. Add identity provider on sharepointserver (PS1.ConfigSPIdentifier)
4. Activate wsreply on sharepointserver
5. Add Identity provider to relevant web applications
Authentication Provider > Claims Authentication Types > Trusted Identity Provider
6. Configure new User Profiler Synchronization, use Authentication Provider type = Trusted Claims > your adfs
Configure User properties >
email = mail
Claim User Identifier = mail
Run full sync
7. Convert all users on webapplications. Don’t convert searchaccounts, don’t convert authenticated users. Change it to for example domain users
Use move-spuser
8. Change SuperUser and Super Reader accounts to adfs
Run change cachereaders on each webbapp and change accounts on User Policy on webapps.
9. Change loginpage for ADFS (optional, but enables automatic signin for directory users) (also enabled crawl to run as AD-user)
Copy autologin.aspx to common files\template….
Change in autologin.aspx to use current ADFS-provider
Change CentralAdministration> authpolicy > default signin page = autologin.aspx
10. Check search engine so everything works.
11. Install LDAPCP to solve peoplepicker issues.
12. Hide AD from selectionlist
13. Done.
Issues that occurred:
Couldn’t view any others mysites – solution add / permissions for all users.
Otherwise it worked quite nicely. 6000+ plus users migrated. This solution used email as primary claim. This then required the email field in AD to be populated with unique value.
Do I need to say that I take no responsbility for when this goes sideways? I don’t. But it worked for me.
PS1.ConfigSPIdentifier
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\xss\ADFS-Token-Signing.cer")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "upn" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "urn:test-intranet:sharepoint"
$ap = New-SPTrustedIdentityTokenIssuer -Name "TEST_ADFS@contoso.com" -Description "STS-IP id1.contoso.com" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3 -SignInUrl "https://id1.contoso.com/adfs/ls" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
PS2.Activatewsreply
$tit = Get-SPTrustedIdentityTokenIssuer fs.contoso.com
$tit.UseWReplyParameter = $true
$tit.Update()
PS6.HideADfromLookup
$cpm = Get-SPClaimProviderManager
$ad = get-spclaimprovider -identity "AD"
$ad.IsVisible = $false
$cpm.Update()
References:
http://blogs.msdn.com/b/scicoria/archive/2011/06/10/sharepoint-2010-fba-and-sliding-sessions.aspx - Explains sliding sessions
http://msdn.microsoft.com/en-us/library/hh446526.aspx - explains adfs token
http://msdn.microsoft.com/en-us/library/office/hh147183%28v=office.14%29.aspx
http://blog.robgarrett.com/2013/05/06/sharepoint-authentication-and-session-management/ – good information on authentication process
http://www.wictorwilen.se/sharepoint-2013-with-saml-claims-and-sharepoint-hosted-apps – wsreply
http://weblogs.asp.net/wesleybakker/adfs-sharepoint-2013-single-sign-on-skip-authentication-provider-selection-page - ADFS Sharepoint 2013 Skip authentication Provider Page – autologin.aspx
Scenario:
Sharepoint 2013 farm needs Sharepoint 2013 workflow support.
References:
https://technet.microsoft.com/en-us/library/jj658588.aspx
http://blog.lekman.com/2015/02/troubleshoot-workflow-manager-errors-in.html
http://www.harbar.net/articles/wfm2.aspx
http://blog.lekman.com/2015/02/troubleshoot-workflow-manager-errors-in.html
https://olafd.wordpress.com/2013/10/04/install-workflow-manager-in-sharepoint-development-environment/
Going through the Installed Updates list to check for a specific update that might or might not mess things up can be tedious using appwiz.cpl
Introduced in Powershell version 4 we have a new cmdlet for this purpose that come in handy.
Show list of all installed hotfixes
/> get-hotfix
Show if a specific update is installed:
/>get-hotfix -id "kb2843630"
References:
http://technet.microsoft.com/en-us/library/hh849836.aspx – syntax
Overview:
Funny thing happend the other day…
Site migrated from sharepoint 2010 to 2013. Certain groups can’t create subsites using Publishing template. They really want to…
Owners and members of constructor group can work fine.
Groups are using custom permission level.
Symptoms:
- Creating subsite with publishing or publishing with approval workflow results in :
- EventID 4965 – Web Content Management – Couldt initate … properties
- Server Error in ‘/’ Application – Runtime error
- ULS throws errors when trying to create.
- Works for members of owner or constructor group.
- Works when creating a non-localized default format publishing site.
- Works when creating Team Site
Solution:
- Added Apply Themes and Border, Apply Style Sheets permission for the custom permission levels
- Added the relevant groups with read permissions for the /devicechannels list on each Site Collection.
Lessons learned:
- Devicechannels is a new feature of sp2013, permissions aren’t added automaticly if using custom groups, permissions levels and allowing for custom css.
References:
http://meandmysharepoint.blogspot.se/2014/03/runtime-error-when-creating-sharepoint.html -
