•  09-12-2019
  •  | 
  •  

Question

My knowledge of claims is weak so please forgive me if something doesn't make sense.

When I try to log in to the SharePoint site using claims, I get the error:

Unknown SPRequest error occurred. More information. 0x80070005

Which is an Access Denied error to my understanding.

Fiddler loses all sight of my connection during the SSL tunnel to the TIP, so I get no clues from Fiddler.

The commands I used to set up the TIP are as follows:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
  ("C:\myCert.pem")
New-SPTrustedRootAuthority -Name "Vordel Gateway Token Signing Root Authority" 
  -Certificate $cert
$map1 = New-SPClaimTypeMapping 
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
  -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "urn:myRealm.com"
$signinurl = "https://mySigninURL/sharepointSSO"
$ap = New-SPTrustedIdentityTokenIssuer -Name "Vordel" -Description 
  "Vordel Gateway Issuing SAML Token" -Realm $realm -ImportTrustCertificate 
  $cert -ClaimsMappings $map1 -SignInUrl $signinurl 
  -IdentifierClaim $map1.InputClaimType

After setting up the cert I checked in Central Admin | Security | Manage Trusts and the certificate is there.

I ensured that the Portal Super Reader and Super user accounts had the proper web application user policies applied. Then I ran the following Powershell:

$wa = Get-SPWebApplication -Identity "http://serverName"
$wa.Properties["portalsuperuseraccount"] = "i:0#.w|MyDomain\mySU"
$wa.Properties["portalsuperreaderaccount"] = "i:0#.w|MyDomain\mySR"
$wa.Update()

When I assign permissions to the site, I can search for users available through the TIP so I know I can hit the provider.

I know that I can see the XML returned by the TIP with all the claim info. The error occurs once the claim is redirected back to SharePoint.

Was it helpful?

Solution

It turned out that I did not have all the certificates in the chain and the Vordel Gateway was not pointing back to the correct location. The guys at Vordel were very helpful in fixing this issue!

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top