Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (Microsoft)
  • When: 14 Feb 2011 11:35 AM
  • Last revision by
  • When: 24 Aug 2011 11:17 AM
  • Revisions: 4
  • Comments: 2
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust

AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust

AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust

If you are experiencing a Federation Service outage after modifying the claim rules on the Active Directory Claims Provider (CP) Trust, follow the steps below to restore the default Acceptance Transform Rules.



Perform the following steps on a Federation Server that has write access to the configuration database:

            1. Copy the following text to file and save as C:\adcprules-default.txt

@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Windows account name claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Name claims" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Primary SID claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Group SID claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Primary group SID claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Deny only group SID claims" c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Deny only primary SID claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Deny only primary group SID claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Authentication method claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);



@RuleTemplate = "PassThroughClaims" @RuleName = "Pass through all Authentication time stamp claims" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c);

 

            2. Launch PowerShell



            3. Execute the following commands:

                    Add-PSSnapin Microsoft.Adfs.Powershell



                    Set-AdfsClaimsProviderTrust -TargetName "Active Directory" -AcceptanceTransformRulesFile "C:\adcprules-default.txt"



            4. Verify your changes:

                    a. Launch the AD FS 2.0 Management console

                    b. Expand Trust Relationships and select Claims Provider Trusts

                    c. Right-click Active Directory and select Edit Claim Rules...


More Information
*************************

When the default rules have been removed the there will be events 364, 501 and 502 events in the AD FS 2.0 Admin log. You may notice that some of your claims are identfied and have values and some others do not.

In the case where required elements of the claim are not available because the default rules are not in place you may get an exception in the AD FS 2.0 Tracing Debug log.

MSIS7012: An error occurred while processing the request.
MSIS3126: Access denied

, , , , , , , , , , [Edit tags]
Leave a Comment
  • Please add 4 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 16 Feb 2011 3:03 PM

    Ed Price MSFT edited Revision 1. Comment: Updated title case.

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
Page 1 of 1 (2 items)