while (alive) { writeCode(); } - All Comments

re: How often will FillClaimsForEntity in my Custom Claims Provider be called?

Chun Liu — Mon, 12 Dec 2011 13:28:09 GMT

Hi Bryan, a very nice post!

re: Trusted Identity Providers & User Profile Synchronization

Trevor Seward — Mon, 14 Nov 2011 20:54:33 GMT

Is it possible to implement your own synchronization source (I'm thinking AD LDS here) and bind the SPS-ClaimID behind the scenes?

re: Trusted Identity Providers & User Profile Synchronization

Bryan L. Porter — Mon, 31 Oct 2011 16:24:10 GMT

@Glenn,

Nope. FIM requires a domain trust to synch from an AD - and not only is a trust required, it must be a two-way trust, IIRC.

Bryan

re: Trusted Identity Providers & User Profile Synchronization

Glenn — Mon, 31 Oct 2011 16:14:32 GMT

Nice article, This helped alot, I do have a issue with the setup in our enviorment. Well not so much with this setup but a general question on the sync with a externla domain...

I have set this all up, we have a external domain we want to sync profiles with but have notrust.

The sharepoint farm is in one Domain (Domain ABC) and the user profile sync works just fine.

There is a second Doamin, that we want to import users from (Domanin XYZ).

We have NO trust between the Domains. But, we are using ADFS and a trustedclaimsprovider which allows users form the XYZ Domain log on to sharepoint.

I can run the sync with the XYZ when I setup the connection, but the next day when it runs as per the schedualed sync, the connection to the XYZ Domain fails.

I have found that if I edit the connection by putting the password back in and reselecting the OU's the connection will work for that day ( I need to do a full as it says the connetion has changed since the last incremental ) and then again it fails the next day with the same error.

The servers Aplication event error logs show FIMSynchronizationService erro event ID 6000 "The management agent "XYZ EXTERNAL" failed to run because the credentials were invalid"

The MMIISCLIENT.EXE shows that the Sync witht e XYZ domain cannot be doen due a to: failed-authentication

So it appears that the FIM service account cannot connect to the XYZ external domain, which I am assuming is due to the lack of the trust.

How do I get around the FIM account requireing a TRUST?

Is this Possible?

re: Stupid SharePoint PowerShell Tricks, Part I

Smeikkie — Fri, 07 Oct 2011 12:39:32 GMT

This does not work. a SPAuthenticationProvider does not have the property AllowAnonymous.

[brporter: This works fine, the script assumes that your web application is already configured for Windows Authentication; in such a configuration, Get-SPAuthenticationProvider returns an instance of SPWindowsAuthenticationProvider (an SPAuthenticationProvider subclass) which does in fact posess an AllowAnonymous property.]

re: Excluding Disabled User Accounts from Profile Synchronization in SharePoint 2010

Loveleen — Fri, 23 Sep 2011 08:24:19 GMT

This is not working for me inactive people are still coming from AD. Can anyone help please.

re: Trusted Identity Providers & User Profile Synchronization

Bryan L. Porter — Wed, 25 May 2011 21:24:37 GMT

Mario - There is no way, using OOB synchronization, unless you have access to query the federated partners directory service (and assuming that directory service is one of the standard directory servers we support synchronization with). If you could address their AD instance, for example, you'd be good to go with the above.

Otherwise, your challenge becomes synchronization of that external directory information. You could have the partner send you an LDIF file on a regular basis, or hand-craft some other custom process.

re: Trusted Identity Providers & User Profile Synchronization

Mario — Wed, 25 May 2011 21:18:38 GMT

This is great info, but doesn't appear to address the more common scenario where I am using ADFS for EXTERNAL AD providers. So if my local AD is contoso.com but I am federated with wingtiptoys.com, is there a way to import user claims info for the users from wingtiptoys?

re: Why Is Central Administration Broken?

Spence — Sun, 01 May 2011 19:34:57 GMT

www.harbar.net/articles/spca.aspx

re: Trusted Identity Providers & User Profile Synchronization

Kim — Wed, 20 Apr 2011 17:17:36 GMT

Thanks for sharing this entry; it is not always that easy to discover hidden details within SP2010. In case we had to write a custom connector due to some reason, how could we assign values to the Claim User Identifier, Claim Provider Identifier fields in a profile? These fields are not editable. Is there a work-around for this?