Issue with Azure AD/CP authentication
Closed this issue · 9 comments
jonah406 commented
We have a number of SP2019 farms, that all use multi authentication methods, Windows AD/Azure AD. Each farm has Azure CP installed.
We currently have an issue with our Nintex workflow estate, whereby any WF with a State Machine/Pause action is causing a delay on the SP timer service. We have carried out a deep investigation with MS, and they have discovered that their is a timely query being done to Azure AD when trying to resolve an email address.
They have recommended that we temporarily disable Azure CP to see if this resolves the issue. Is this even an option when using Azure AD, and what is the likely impact on the overall farm?
Many thanks
Scott
Yvand commented
@jonah406 do the SharePoint logs show any AzureCP error/exception?
You can filter the SharePoint logs on product/area AzureCP to validate this.
To answer your question: SharePoint farm can work without AzureCP, but you will lose some features like the search in people picker.
If you want to disable AzureCP in a way that can be easily reversed, you can use the script below to de-associate it from your SPTrustedIdentityTokenIssuer:
# Set private member m_ClaimProviderName to null. Note that using .NET reflection on SharePoint objects is not supported and you do this at your own risks
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.GetType().GetField("m_ClaimProviderName", "NonPublic, Instance").SetValue($trust, $null)
$trust.Update()julmsy commented
Hi,
Yes, logs should be a good start.
Also, please describe a little bit your configuration: is your servers access to internet through a proxy? If yes, could you please confirm that you added proxy configuration properly as described on AzureCP site?
jonah406 commented
Classification:UNCLASSIFIED
Thanks Yvan,
With regard to the disabling of Azure CP, what would be the process for re-enabling? Would it be a case of reinstalling?
Thanks in advance
Scott
***@***.***
Scott Jones | Digital Workplace Platform Administrator
IT | Corporate Services
Babcock International Group
1000 Lakeside | North Harbour | Western Road | Portsmouth | Hampshire | PO6 3EN
Tel: +447718120340 | Mob: +447718120340 | Fax: +441489 667238 | ***@***.******@***.***>
www.babcockinternational.com<http://www.babcockinternational.com>
***@***.***
Creating a safe and secure world, together
…________________________________
From: Yvan Duhamel ***@***.***>
Sent: 29 March 2023 12:42
To: Yvand/AzureCP ***@***.***>
Cc: Jones, Scott ***@***.***>; Mention ***@***.***>
Subject: CAUTION: External email - Re: [Yvand/AzureCP] Issue with Azure AD/CP authentication (Issue #178)
@jonah406<https://urldefense.com/v3/__https:/github.com/jonah406__;!!Jg6nRRb-8XrjohQveg!O3oY7cPpZZAnM5QwLVBjY-fmk2aKT9neqC3r5Tw-glPFR5I61R6bDJrllAB2M4SbuyIcHx2T1xvTk2I8iPn-O3ddYk0_dyeMwUio$> do the SharePoint logs show any AzureCP error/exception?
You can filter the SharePoint logs on product/area AzureCP to validate this.
To answer your question: SharePoint farm can work without AzureCP, but you will lose some features like the search in people picker.
If you want to disable AzureCP in a way that can be easily reversed, you can use the script below to de-associate it from your SPTrustedIdentityTokenIssuer:
# Set private member m_ClaimProviderName to null. Note that using .NET reflection on SharePoint objects is not supported and you do this at your own risks
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.GetType().GetField("m_ClaimProviderName", "NonPublic, Instance").SetValue($trust, $null)
$trust.Update()
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/Yvand/AzureCP/issues/178*issuecomment-1488447070__;Iw!!Jg6nRRb-8XrjohQveg!O3oY7cPpZZAnM5QwLVBjY-fmk2aKT9neqC3r5Tw-glPFR5I61R6bDJrllAB2M4SbuyIcHx2T1xvTk2I8iPn-O3ddYk0_dxBzkpIq$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AOLNPEQ7GZ5FOEVU75ZKFVTW6QN2FANCNFSM6AAAAAAWLX3ZZ4__;!!Jg6nRRb-8XrjohQveg!O3oY7cPpZZAnM5QwLVBjY-fmk2aKT9neqC3r5Tw-glPFR5I61R6bDJrllAB2M4SbuyIcHx2T1xvTk2I8iPn-O3ddYk0_d4O-H0Y0$>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
________________________________
This electronic mail message, including any attachments, is a confidential communication exclusively between Babcock International and the intended recipient(s) indicated as the addressee(s). It contains information which is private and may be proprietary or covered by legal professional privilege. If you receive this message in any form and you are not the intended recipient you must not review, use, disclose or disseminate it. We would be grateful if you could contact the sender upon receipt and in any event you should destroy this message without delay. Anything contained in this message that is not connected with the business of Babcock International is neither endorsed by nor is the liability of Babcock International.
Babcock International Group PLC.
Website: www.babcockinternational.com
Registered in: United Kingdom
Registration No: 4415588
Registered Office: 33 Wigmore Street, London, W1U 1QX
Yvand commented
@jonah406 the exact opposite of the script I sent you is this one:
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.ClaimProviderName = "AzureCP"
$trust.Update()But I encourage you to read https://azurecp.yvand.net/docs/usage/install/ to get all the information about the installation
jonah406 commented
Classification:UNCLASSIFIED
Many thanks Yvan,
Appreciate your support, and yes I do recall that we did have some initial configuration issues, and had to engage your help to resolve them
I’m reluctant to even entertain this process
Scott
***@***.***
Scott Jones | Digital Workplace Platform Administrator
IT | Corporate Services
Babcock International Group
1000 Lakeside | North Harbour | Western Road | Portsmouth | Hampshire | PO6 3EN
Tel: +447718120340 | Mob: +447718120340 | Fax: +441489 667238 | ***@***.******@***.***>
www.babcockinternational.com<http://www.babcockinternational.com>
***@***.***
Creating a safe and secure world, together
…________________________________
From: Yvan Duhamel ***@***.***>
Sent: 04 April 2023 08:54
To: Yvand/AzureCP ***@***.***>
Cc: Jones, Scott ***@***.***>; Mention ***@***.***>
Subject: CAUTION: External email - Re: [Yvand/AzureCP] Issue with Azure AD/CP authentication (Issue #178)
@jonah406<https://urldefense.com/v3/__https:/github.com/jonah406__;!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufNWOy9uM$> the exact opposite of the script I sent you is this one:
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.ClaimProviderName = "AzureCP"
$trust.Update()
But I encourage you to read https://azurecp.yvand.net/docs/usage/install/#enable-the-claims-provider<https://urldefense.com/v3/__https:/azurecp.yvand.net/docs/usage/install/*enable-the-claims-provider__;Iw!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufOlpJQFD$> to get all the information about the installation
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/Yvand/AzureCP/issues/178*issuecomment-1495512845__;Iw!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufARPGZoE$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AOLNPEV6TP626JSRTN36TZLW7PHTBANCNFSM6AAAAAAWLX3ZZ4__;!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufHWOr1Ks$>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
________________________________
This electronic mail message, including any attachments, is a confidential communication exclusively between Babcock International and the intended recipient(s) indicated as the addressee(s). It contains information which is private and may be proprietary or covered by legal professional privilege. If you receive this message in any form and you are not the intended recipient you must not review, use, disclose or disseminate it. We would be grateful if you could contact the sender upon receipt and in any event you should destroy this message without delay. Anything contained in this message that is not connected with the business of Babcock International is neither endorsed by nor is the liability of Babcock International.
Babcock International Group PLC.
Website: www.babcockinternational.com
Registered in: United Kingdom
Registration No: 4415588
Registered Office: 33 Wigmore Street, London, W1U 1QX
Yvand commented
@jonah406 I fully understand your concerns.
The 2 scripts I provided in this discussion (to deactivate / reactivate AzureCP) are pretty safe, in the sense that one does exactly the opposite of the other, and they do not trigger the deployment of any file (which is the pain point in SharePoint)
jonah406 commented
Classification:UNCLASSIFIED
Hello Yvan,
Thanks again for your support in this matter, we appear to be making some progress on the SP/SQL side.
I just wanted to confirm that what I am doing is correct, when it comes to the configuration of Azure CP.
***@***.***
So every SP server, regardless of its role MUST have the above configured for Azure CP to work as expected
Thanks
Scott
***@***.***
Scott Jones | Digital Workplace Platform Administrator
IT | Corporate Services
Babcock International Group
1000 Lakeside | North Harbour | Western Road | Portsmouth | Hampshire | PO6 3EN
Tel: +447718120340 | Mob: +447718120340 | Fax: +441489 667238 | ***@***.******@***.***>
www.babcockinternational.com<http://www.babcockinternational.com>
***@***.***
Creating a safe and secure world, together
…________________________________
From: Yvan Duhamel ***@***.***>
Sent: 04 April 2023 08:54
To: Yvand/AzureCP ***@***.***>
Cc: Jones, Scott ***@***.***>; Mention ***@***.***>
Subject: CAUTION: External email - Re: [Yvand/AzureCP] Issue with Azure AD/CP authentication (Issue #178)
@jonah406<https://urldefense.com/v3/__https:/github.com/jonah406__;!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufNWOy9uM$> the exact opposite of the script I sent you is this one:
$trust = Get-SPTrustedIdentityTokenIssuer "SPTRUST NAME"
$trust.ClaimProviderName = "AzureCP"
$trust.Update()
But I encourage you to read https://azurecp.yvand.net/docs/usage/install/#enable-the-claims-provider<https://urldefense.com/v3/__https:/azurecp.yvand.net/docs/usage/install/*enable-the-claims-provider__;Iw!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufOlpJQFD$> to get all the information about the installation
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/Yvand/AzureCP/issues/178*issuecomment-1495512845__;Iw!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufARPGZoE$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AOLNPEV6TP626JSRTN36TZLW7PHTBANCNFSM6AAAAAAWLX3ZZ4__;!!Jg6nRRb-8XrjohQveg!LbN8R7PyWalQU0HyK9HVPzvER4MTCYPU2SjATDoo3KaD_AlgpddZV-8lPd-5u9E7Aj8EPmiloEsryJAid_gaMNYSF8vufHWOr1Ks$>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
________________________________
This electronic mail message, including any attachments, is a confidential communication exclusively between Babcock International and the intended recipient(s) indicated as the addressee(s). It contains information which is private and may be proprietary or covered by legal professional privilege. If you receive this message in any form and you are not the intended recipient you must not review, use, disclose or disseminate it. We would be grateful if you could contact the sender upon receipt and in any event you should destroy this message without delay. Anything contained in this message that is not connected with the business of Babcock International is neither endorsed by nor is the liability of Babcock International.
Babcock International Group PLC.
Website: www.babcockinternational.com
Registered in: United Kingdom
Registration No: 4415588
Registered Office: 33 Wigmore Street, London, W1U 1QX
Yvand commented
The commands I provided in my previous messages are farm wide and will apply to the whole farm, so they need to be run only 1 time, on any SharePoint server
stale commented
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.