Query on Active Directory Account for identity Domain\Useraccount returned empty attribute values.

I have deployed&integrated ADFS with Azure pack and I am using ExtendASP control panel for Hosted Exchange & multitenant Active Directory. All my Tenant accounts are created via ExtendASP and reside in Hosting OU. My goal is to use ExtendASP as central management for my Cloud identities, so Tenant administrators will be able to manage Azure pack IaaS service and ExtendASP SaaS services with single AD account.

When I created first customer in ExtendASP and tried to login to Azure Pack Tenant Portal through ADFS with Company Administrator, I got following error:

adfs_error

Also following errors were generated in ADFS log:

Error1:

Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.

Error2:

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

Additional Data

Caller: Domain\Useraccount

 

Error3:

The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue

Additional Data
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.

 

Solution:

Grant Read rights to ADFS service account on Hosting OU in AD. Do not forget to apply it to: This object and all descendant objects.

Pridaj komentár

Vaša e-mailová adresa nebude zverejnená. Vyžadované polia sú označené *