Thursday, May 16, 2013

Incoming claim types do not include Claim Type... error message in SharePoint 2010

I was working with my SharePoint development environment and I had to add new Claim Mappings to my SharePoint Server based on some new Claims that I was sending from ADFS.

One of my options was to completely remove the SP-TrustedIdentityTokenIssuer and then completely re-create it with the new Claim Mappings, but that was a bit of a hassle, so I searched for other ways to simply add new Claim Mappings.

I found a partial answer here:

However, as soon as I followed the instructions that were provided in the article, I received the following error message: Add-SPClaimTypeMapping: Incoming claim types do not include claim type '

Interestingly enough, this was the same error message the article was attempting to solve!

Fortunately, I came across this other article which offered a complete solution:

The key point to note is that you have to add the Claim Type to the TrustedIdentityTokenIssuer 1st, ONLY THEN you can add the Claim Type Mapping!!

 $SPTrustedIdp = Get-SPTrustedIdentityTokenIssuer "sts"  

 $GroupClaimType = ""  
 $groupClaim = New-SPClaimTypeMapping -IncomingClaimType $GroupClaimType -IncomingClaimTypeDisplayName "Group" -LocalClaimType $GroupClaimType  
 Add-SPClaimTypeMapping -Identity $groupClaim -TrustedIdentityTokenIssuer $SPTrustedIdp  

Tuesday, May 14, 2013

Using the ADFS FedAuth Token programmatically through the SharePoint Client Object Model

If you are using the SharePoint Client Object Model along with Active Directory Federation Services (ADFS), you may encounter numerous hurdles or obstacles when attempting to interact with SharePoint:

First of all, since you are using Claims-based Authentication, the standard Windows/NTLM Authentication model will no longer work (and is not quite as straightforward).  Therefore, you will need to follow an article similar to the following:

Remote Authentication in SharePoint Online Using the Client Object Model

However, the problem with this code is that it prompts you for your login credentials each time you attempt to access SharePoint.

But, what if you want to generate the FedAuth Token programmatically without a login prompt?

Well, you can do that as well, thanks to an article by Steve Peschka described here:

Using the Client Object Model with a Claims Based Auth Site in SharePoint 2010

As you will see from the above article, you will actually need to enable a new Endpoint on your ADFS Server in order to be able to call ADFS directly to generate the FedAuth token for you.

  1. Open the AD FS 2.0 Management application
  2. Expand the Service node and click on the Endpoints node
  3. Right-click on the /adfs/services/trust/13/windowstransport node and click on Enable on the shortcut menu
  4. Restart the AD FS 2.0 Windows Service (from the Services Control Panel)
The one major thing lacking in Steve Peschka's code, though, is the ability to utilize custom login credentials. Fortunately, that is relatively easy to accomplish:

 ctx.Credentials = new NetworkCredential(UserName, Password, Domain);  

That is all there is to it!

Happy Coding!!

Monday, May 6, 2013

Enterprise Library 6.0 has been released!

For those of you who have used Enterprise Library in the past, you may know that it has been several years since Microsoft has done anything since the release of Enterprise Library 5.

Well, the long awaited arrival of Enterprise Library v. 6.0 is finally here!

You can read more about the improvements in Enterprise Library 6.0 here:

You can directly download Enterprise Library 6.0 from here: