Hello
Given that for role claim I have added "Prefix to add to value returned": "fqdn\", i can search and find groups in bouth domains and they get listed and i can choose from:
* domain1.local\Duplicate Group
* domain2.local\Duplicate Group
However when choosing a group and trying to create permission, LDAPCP doesn't handle it well. From ULS:
```
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect to AD this server is member of, with application pool credentials e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect as domain2.local\SPProfileSync to LDAP://domain2.local:636/DC=domain2,DC=local. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.45 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain1.local/DC=domain1,DC=local e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x48B4 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain2.local:636/DC=domain2,DC=local b52d829d-3a4b-a00b-c963-d4789374d0bf
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Querying of LDAP servers finished in 79ms (current timeout is 0ms) e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 2 result(s) from all LDAP server(s) with query "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(| (&(objectclass=group)(sAMAccountName=duplicate group)) ))" e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 2 permission(s) to create after filtering e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain1.local\Duplicate Group", value: "domain1.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain2.local\Duplicate Group", value: "domain2.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Validation with LDAP lookup created 2 permissions instead of 1 expected. Aborting operation e82d829d-4ac4-a00b-c963-d16364812a77
```
The result is that the group is not added to permissions.
If i choose a group name that doesn't exist in another domain, everything is OK.
Comments: Ohh, just noticed there is exactly the logic that follows there. But Then maybe it has to do something with the following: When i tried to use {domain} for "Prefix to add to value returned", it didn't use netbiosname (short name) of domain. For example: int.domain1.local, the {domain} prefixes __int__ even if domain short name is and should have prefixed: __domain1__ I've traced it down to _SearchObjectsInLDAP_ where domainName is assigned: ``` if (directory.Properties.Contains("name")) domainName = directory.Properties["name"].Value.ToString(); ``` This stuff returns only the first part of domain "_int_", which is not the netbiosname of domain. So I checked what Get-ADDomain returns: ``` PS > Get-ADDomain | select DNSRoot, DomainMode, Forest, Name, NetBIOSName DNSRoot : int.domain1.local DomainMode : Windows2012R2Domain Forest : int.domain1.local Name : int NetBIOSName : domain1 ... ``` Which i don't know why is it so. The domain is a fresh domain (actually a forest). Hasn't been renamed. and the short name was for setup was used: _domain1_. I'm not sure if this is the problem. I'm not even sure what does "Name" stand for a domain. I'll continue to investigate and try to come up with hopefully a better understanding of the problem.
Given that for role claim I have added "Prefix to add to value returned": "fqdn\", i can search and find groups in bouth domains and they get listed and i can choose from:
* domain1.local\Duplicate Group
* domain2.local\Duplicate Group
However when choosing a group and trying to create permission, LDAPCP doesn't handle it well. From ULS:
```
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect to AD this server is member of, with application pool credentials e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.44 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Connect as domain2.local\SPProfileSync to LDAP://domain2.local:636/DC=domain2,DC=local. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.45 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain1.local/DC=domain1,DC=local e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x48B4 LDAPCP LDAP Lookup 1337 Verbose [LDAPCP] Got 1 result(s) from LDAP://domain2.local:636/DC=domain2,DC=local b52d829d-3a4b-a00b-c963-d4789374d0bf
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Querying of LDAP servers finished in 79ms (current timeout is 0ms) e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] Got 2 result(s) from all LDAP server(s) with query "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(| (&(objectclass=group)(sAMAccountName=duplicate group)) ))" e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP LDAP Lookup 1337 Medium [LDAPCP] 2 permission(s) to create after filtering e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain1.local\Duplicate Group", value: "domain1.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Verbose [LDAPCP] Created permission: display text: "(Role) domain2.local\Duplicate Group", value: "domain2.local\Duplicate Group", claim type: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", and filled with 0 metadata. e82d829d-4ac4-a00b-c963-d16364812a77
06.02.2016 13:38:49.52 w3wp.exe (0x7F4C) 0x2F10 LDAPCP Claims Picking 1337 Unexpected [LDAPCP] Validation with LDAP lookup created 2 permissions instead of 1 expected. Aborting operation e82d829d-4ac4-a00b-c963-d16364812a77
```
The result is that the group is not added to permissions.
If i choose a group name that doesn't exist in another domain, everything is OK.
Comments: Ohh, just noticed there is exactly the logic that follows there. But Then maybe it has to do something with the following: When i tried to use {domain} for "Prefix to add to value returned", it didn't use netbiosname (short name) of domain. For example: int.domain1.local, the {domain} prefixes __int__ even if domain short name is and should have prefixed: __domain1__ I've traced it down to _SearchObjectsInLDAP_ where domainName is assigned: ``` if (directory.Properties.Contains("name")) domainName = directory.Properties["name"].Value.ToString(); ``` This stuff returns only the first part of domain "_int_", which is not the netbiosname of domain. So I checked what Get-ADDomain returns: ``` PS > Get-ADDomain | select DNSRoot, DomainMode, Forest, Name, NetBIOSName DNSRoot : int.domain1.local DomainMode : Windows2012R2Domain Forest : int.domain1.local Name : int NetBIOSName : domain1 ... ``` Which i don't know why is it so. The domain is a fresh domain (actually a forest). Hasn't been renamed. and the short name was for setup was used: _domain1_. I'm not sure if this is the problem. I'm not even sure what does "Name" stand for a domain. I'll continue to investigate and try to come up with hopefully a better understanding of the problem.