When you throw claims authentication in the mix of AD users and SharePoint user profiles there is some things you should be aware of:

  • Use your Identity Provider to make the user profile sync connection to the domain
  • There's no built in mapping between the user profile identifier and claim (or forms) users identity provider; missing this will give you more than one user profile per user!

Setting up the sync connection with Identity Provider

Set up with claims user and Identity Provider can be setup in the Central Admin or through this PowerShell cmdlet

Add-SPProfileSyncConnection 

But beware, it is only intended for SharePoint Online environments, now you are warned!

I found it working on “on premise” fine, but there is no warranties!

Specific for the Claims scenario I will just point out the following parameters.
All the parameters are explained on this TechNet article:
http://technet.microsoft.com/en-us/library/jj219677.aspx

Parameter

Required

Type

Description

ConnectionClaimProviderIdValue

Optional

System.String

Specifies the Claims Provider ID or Name for an authentication type while a Web App is configured.

ConnectionClaimProviderTypeValue

Optional

System.String

Specifies the Authentication claim Provider that will be used to encode the User Profile accounts names. For example, Windows/Forms etc. This means if a user logs in using the given Authentication Type, then a profile can be found by looking up a claim encoded credentials.

The PowerShell could look something like this:

#provision connection with Claim Provider Add-SPProfileSyncConnection
-ProfileServiceApplication 888ds256-9ad9-53a9-f135-99eecd245670b `
-ConnectionClaimProviderIdValue "ClaimProviderName" `
-ConnectionClaimProviderTypeValue "Trusted" `
-ConnectionForestName "fabrikam.com"-ConnectionDomain "Fabrikam" `
-ConnectionUserName "Testupa" `
-ConnectionPassword convertto-securestring "Password1" `
-ConnectionSynchronizationOU "OU=SharePoint Users,DC=fabrikam,DC=com"

 

Limitations:

  • Only in SharePoint 2010 Service Pack 1 !
  • The account running the PowerShell window must be added as an administrator for the UPA.
  • Remove-SPProfileSyncConnection does not delete sync connections!
  • … see below

Others explaining the use of this cmdlet

 

Mapping between AD user and Claim user

When setting up a SharePoint 2010 application with claims authentication, there's no built in mapping between the AD user profile's and claim (or forms) user. (see my former post User profile property mappings in SharePoint and Active Directory and the TechNet article http://technet.microsoft.com/en-us/library/gg750254.aspx#section2

In claims-based Web applications, SharePoint Server uses the Claim User Identifier property (SPS-ClaimID) to match an authenticated user to the correct user profile. If the SPS-ClaimID is not mapped to the directory service attribute that you want to use as the user identifier, when a user is authenticated, he or she is not matched to the correct user profile and will not see the imported user profile data.

Worst case this will give you more than one user profile per user.

The mapping between the claim user and the AD user is done by setting the SPS-ClaimID (Claim User Identifier) to sAMAccountName (UserName)through the User Profile Service Application.

Claim User Identifier

This property mapping must be manually inserted if using Forms or Trusted Identity providers.

claim user props mapping

Or you can use PowerShell to set this mapping. The AddNewMapping cmdlet can do just that.

$synchConnection.PropertyMapping.AddNewMapping([Microsoft.Office.Server.UserProfiles.ProfileType]::User, $spsPropertyName, $userPropertyName)

Remember to do a full sync after setting this property mapping!

Ressources

This CodePlex project contains a PowerShell script to help you automate the creation of SharePoint 2010 User Profile Synchronization connections, User Profile Properties and User Profile Property mappings.

Create/Manage SPS2010 User Profile Properties or Sync Connection from Powershell

Other use full links:

Tags: , | Categories: SharePoint Configuration

The User profile synchronization with AD comes with a build in property mapping. The following page from The TechNet Library describes the profile properties and link to their corresponding directory service attributes:

Default user profile property mappings (SharePoint Server 2010)

User profile property AD DS attribute

SPS-DistinguishedName

dn

SID

objectSid

Manager

manager

PreferredName

displayName

FirstName

givenName

LastName

sn

SPS-PhoneticDisplayName

msDS-PhoneticDisplayName

SPS-PhoneticFirstName

msDS-PhoneticFirstName

SPS-PhoneticLastName

msDS-PhoneticLastName

WorkPhone

telephoneNumber

WorkEmail

mail

Office

physicalDeliveryOfficeName

SPS-JobTitle

title

Department

department

UserName

sAMAccountName

PublicSiteRedirect

wWWHomePage

SPS-ProxyAddresses

proxyAddresses

SPS-SourceObjectDN

msDS-SourceObjectDN

SPS-ClaimID

<specific to connection>

SPS-ClaimProviderID

<specific to connection>

SPS-ClaimProviderType

<specific to connection>


All user profile properties

The following link lists all the user profile properties with internal name, display name and data type that SharePoint Server 2010 provides by default:

Default user profile properties (SharePoint Server 2010)

SP2010 default user profile properties

Full table at: http://technet.microsoft.com/en-us/library/hh147513.aspx

Verify user data

The Active Directory Users and Computers snap-in

The Active Directory Users and Computers snap-in is often the interface to the user attributes.

Go her to see the mapping of UI labels and AD attribute in the property pages that are displayed by the Active Directory Users and Computers snap-in:

User Object User Interface Mapping

AD User General Property Page

more at: http://msdn.microsoft.com/en-us/library/windows/desktop/ms677980%28v=vs.85%29.aspx

LDAP Browser

When it comes to navigation through the LDAP directory data there is several tools to choose from. My favorite is the LDAP directory browser from Softerra; http://www.ldapbrowser.com/download.htm

It comes free of charge if you only need read-only operations.

LDAP browser

Tags: , | Categories: SharePoint Configuration

Problems with disabled accounts from former employees in your SharePoint User Profile Store ?

This will help you set up Exclusion Filters in the User Profile Synchronization

 

1) Browse to Central Administration Site > Manage Service Applications > User Profile Service Application.

2) On the Manage Profile Service: User Profile Service Application page, click the  Configure Synchronization Connections. This will take you to a page where all the synchronization connections are.

follow this excellent post from Spencer Harbar at harbar.net (http://www.harbar.net/archive/2011/02/22/323.aspx)

He explains how to set up filters with the userAccountControl attribute from AD user object.

  

Tags: , , | Categories: Tips and tricks | SharePoint Configuration | SharePoint related

Recently found this excellent post explaining the SharePoint UserProfile picture sizes and naming convention.

 

Naming convention for the thumbnail files:

Thumbnail Image File Name Size
Large domain_username_LThumb.jpg 144x144
Medium domain_username_MThumb.jpg 96x96
Small domain_username_SThumb.jpg 32x32

The full URL of the medium thumbnail (like, “ http:///User Photos/Profile Pictures/__MThumb.jpg”) is stored in the user profile database.

You can use this information like:

var picUrl = profile[PropertyConstants.PictureUrl].Value as string;
this.imgUser.ImageUrl = picUrl.Replace("_MThumb", "_LThumb"); 

 

 read the full post Photo Management in SharePoint 2010 

 

Tags: , | Categories: SharePoint Development | Tips and tricks