I have deployed&integrated ADFS with Azure pack and I am using ExtendASP control panel for Hosted Exchange & multitenant Active Directory. All my Tenant accounts are created via ExtendASP and reside in Hosting OU. My goal is to use ExtendASP as central management for my Cloud identities, so Tenant administrators will be able to manage Azure pack IaaS service and ExtendASP SaaS services with single AD account.
When I created first customer in ExtendASP and tried to login to Azure Pack Tenant Portal through ADFS with Company Administrator, I got following error:
Also following errors were generated in ADFS log:
Error1:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.
Error2:
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.
Additional Data
Caller: Domain\Useraccount
Error3:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue
Additional Data
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.
Solution:
Grant Read rights to ADFS service account on Hosting OU in AD. Do not forget to apply it to: This object and all descendant objects.