Issue:
We're running CA Access Gateway (SPS), when user access to the Partnership
Office365 - Azure AD from a Windows 10 workstation, the
authentication fails, and the CA Access Gateway (SPS) windows even
log reports error :
Get user realm failure. Status: 0xC000023C Correlation ID:
9384A23C-CA75-4DAD-AF67-0D4779C659C8
How can we fix that ?
Environment:
Policy Server 12.52SP1CR00 on RedHat 6 64bit;
CA Access Gateway (SPS) 12.52SP1CR04 on RedHat 6 64bit;
User Store on Active Directory;
Resolution:
As per Microsoft suggestion, add the following :
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};userPrincipalName;{1}", param = regexreplace(c.Value, "
(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param =
regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
=> issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");
and also vote on the enhancement request here to get this integration
fully QA'd and supported on our side.
Vote for support of the full integration of CA Single Sign-On with
Office 365 and Windows 10 in Azure environment :
Office 365 and Windows 10 - Domain join via CA SSO
https://communities.ca.com/ideas/235740879-office-365-and-windows-10-domain-join-via-ca-sso
KB : KB000113734