Category: SharePoint 2019

SharePoint: Profile Sync and the “Domain Users” group – the Primary Group problem

Update 4/15/20: I tested this with AD Import and SharePoint 2019. It’s still the same story with SharePoint 2019. This problem manifests itself in a few different ways: You create an Audience based on “Member Of” the “Domain Users” group. You notice there are only a couple (or maybe even zero) members shown, whereas you

SharePoint: Windows user not equal to ADFS user

I’ve been over this concept with customers and support engineers so many times, that I’m not sure why I haven’t posted about it before. My colleague Adam posted on this topic a while back, but I wanted to expand on that a bit. The Setup: Let’s say you have a SharePoint (2010, 2013, 2016, 2019,

SharePoint: Troubleshooting the Security Token Service (STS)

STS Background: In SharePoint 2010, 2013, 2016, etc, the Security Token Service (STS) is a web service hosted under the “SharePoint Web Services” IIS site on HTTP port 32843 and HTTPS port 32844, in a virtual directory called SecurityTokenServiceApplication. In SharePoint 2010, it contains 2 web services:Securitytoken.svcWindowstokencache.svc In SharePoint 2013 and 2016, it contains 3

SharePoint: MIM 2016 Export for SharePoint MA fails

Consider the following scenario:     You have SharePoint 2016 set up to import user profiles from an External Identity Manager. We’ll say you’re using Microsoft Identity Manager (MIM) 2016 to import profiles from some 3rd party LDAP directory. The profiles should be imported as Trusted Provider type users (SAML-claims). You run a Sync, and everything goes

SharePoint: Users forced to re-authenticate unexpectedly

This post covers the scenario where users log in via a trusted provider / SAML-claims  (like ADFS, Ping, Site Minder, etc) and intermittently, they are redirected to the login page to re-authenticate. There are a few pieces of information you need for a scenario like this (beyond the regular scoping): 1. Output of Get-SPSecurityTokenServiceConfig2. A Fiddler trace

SharePoint 2016: Active Directory Import timer job does not run – AllowServiceJobs

This is an interesting “gotcha” that came up recently: Problem: The Active Directory Import (UserProfileADImportJob) timer job does not run.  It’s enabled and scheduled to run (default every 5 minutes), but never runs.The result is that the user profiles never get imported. Cause: All the servers in the farm that are running the User Profile

SharePoint: Importing Manager property with AD Import: A Troubleshooter

Overview: This is a fairly visible problem within SharePoint.  It can cause the organization chart to show old manager info, or not work at all.So what to do if your user profiles show no manager value, or maybe a user has changed managers, and it’s not being updated? This is a complicated topic for a