HELP FILE

Troubleshooting Active Directory Federation Services (AD FS)

If you are having some trouble after setting up your LastPass Enterprise environment to use Active Directory Federation Services (AD FS), you can take the steps below to check your configuration settings and perform basic troubleshooting. Please be sure to perform these checks in order.

Step #1: Check Windows updates and LastPass components versions

Please check for updates and install the latest versions of the following:

  • Windows Server updates (including the latest version of .Net Framework)
  • LastPass Active Directory Connector must be running version 1.2.652 or later – Update now or open the LastPass AD Connector, then go to Home > Check for updates.
  • LastPass web browser extension must be running the latest version available – Update now

Step #2: Check your firewall settings

The Custom Attribute Store must be able to communicate with LastPass APIs, which means that the AD FS server(s) must be able to reach *.lastpass.com.

  • Open a web browser on your AD FS server(s) and navigate to https://lastpass.com. If it is not reachable, you must whitelist the *.lastpass.com domain on your firewall.

Note: If your environment is an AD FS server farm with primary and secondary nodes, please ensure that the *.lastpass.com domain is whitelisted on all machines.

Step #3: Check your AD users' permissions

There are two users in your Active Directory environment that must have read and write access for the custom attribute:

  • The AD user that runs the LastPass AD Connector (which populates the custom attribute at the time of provisioning)
  • The AD user that runs the AD FS service (AD FS calls into the Custom Attribute Store, which reads the custom attribute at the time of the login)

Both users must have the CONTROL ACCESS permission in order to access the custom attribute marked as CONFIDENTIAL. If the users don't have this permission, it must be set. You can check your users' permissions in either of the following ways:

Using the LDP tool

The Windows Server operating systems have a built-in tool that allows you to check the permissions of your AD users based on their group membership.

  • On your Active Directory server, run ldp.exe and confirm that the assigned group of the AD user has CONTROL ACCESS enabled.

Using the dsacls command

You can run the distinguishedName of the custom attribute" command to check the permissions of your AD users:

  1. On your Active Directory server, run the Command Prompt as an administrator.
  2. Enter the following command: dsacls
  3. Confirm that the CONTROL ACCESS permission is assigned.

Step #4: Check that the AD FS plugin is installed and registered with the correct custom attribute value

If the AD FS plugin was installed correctly, you can find the LastPassAttributeStore listed.

  1. On your AD FS server, open the AD FS Server Manager tool.
  2. Go to AD FSServiceAttribute Stores.
  3. Check if LastPassAttributeStore is listed.

WARNING! If you cannot find the Attribute Store, it means that the installation failed. Reinstall the AD FS plugin, and confirm that the name of the custom attribute value and the version are both correct.

  1. Uninstall the LastPassAttributeStore.msi.
  2. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  3. Go to SettingsFederated login in the left menu.
  4. Confirm that the name of the custom attribute value is correct.
  5. In the "LastPass Custom Attribute Store" section at the bottom of the page, click either Download for ADFS Server 3.0(For Windows Server 2012 R2) or Download for ADFS Server 4.0 (for Windows Server 2016) and save the LastPass CustomAttributeStore.msi file.
  6. Log in to your primary Active Directory Federation Services (AD FS) server, then transfer the CustomAttributeStore.msi file onto the desktop of your AD FS server and double-click it to run it.
  7. Click Next.
  8. Enter your LastPass Enterprise Service Provider URL, then enter your custom attribute value and click Next.
  9. Click Finish when registration is complete.
  10. Restart the AD FS Windows service. This is required.

Step #5: Check the custom attribute configuration

You can use the ADSI Edit tool to check the properties of your custom attribute to confirm that it has been configured properly.

  1. On your Active Directory server, run the Command Prompt as an administrator.
  2. Enter the following command: adsiedit.msc

    Note: If the ADSI Edit tool is not available, then you can register it by opening the Command Prompt as an administrator and running the following commands: regsvr32 adsiedit.dll then adsiedit.msc

  3. Connect to the "well known Naming Context": Schema.
  4. Locate the custom attribute and open Properties.
  5. Locate the following attributes, their values should match the following (as shown below):
    • attributeSyntax: 2.5.5.4 = ( NOCASE_STRING )
    • searchFlags: 0X80 = ( CONFIDENTIAL )

Correctly Configured

WARNING! If the searchFlags attribute is not configured as CONFIDENTIAL (e.g., displays as INDEX), then you must configure it as CONFIDENTIAL.

Incorrectly Configured

Step #6: Check that the custom attribute is populated

Confirm that the LastPass AD Connector has populated the custom attribute properly.

  1. Log in to your Active Directory server.
  2. Open the Active Directory Users and Computers manager tool.
  3. Go to View and ensure Advanced Features is enabled, or click the Advanced Features menu option to enable it.
  4. In the left navigation, go to Users.
  5. Right-click on a user, then click Properties.
  6. Click the Attribute Editor tab.
  7. Locate the custom attribute you created (e.g., LastPassK1) and confirm that a value is set (as shown below).

Correctly Configured

Attribute Editor displaying custom attribute

WARNING! If the custom attribute value is <not set> (as shown below) then you must check the following:

Incorrectly Configured

Step #7: Check the AD FS server farm configuration (if applicable)

Confirm that the DLLs are present on the secondary and subsequent nodes, as follows:

  1. On the AD FS server, navigate to C:\Windows\ADFS where you installed the LastPass CustomAttributeStore.msi file.
  2. Copy the following files to all AD FS secondary and subsequent servers' C:\Windows\ADFS folder:
    • LastPassADFS.dll
    • LastPassConfig.dll
    • LastPassLib.dll
    • LastPassLogger.dll
    • LastPassSettings.dll
    • BouncyCastle.Crypto.dll
    • NLog.dll
  3. Restart the AD FS Windows service on the secondary and subsequent AD FS nodes.

Known issues and additional troubleshooting

If you have confirmed that your LastPass Enterprise and AD FS configurations are properly set, there are additional steps you can take to troubleshoot based on the issue you are experiencing.

Blank screen after logging in as a federated user

Possible causes and how to fix them:

Custom attribute is empty

Possible causes and how to fix them:

Federated login was not enabled in the LastPass Admin Console at the time when provisioning occurred via the LastPass AD Connector.

 

  1. Stop the LastPass AD Connector service.
  2. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  3. Go to Users in the left navigation and delete all users that were provisioned as federated users.
  4. Go to SettingsFederated login in the left navigation.
  5. Check the box for the "Enable" option.
  6. Restart the LastPass AD Connector service to provision federated users.

The LastPass AD Connector was not restarted after federated login became enabled in the LastPass Admin Console. Restart the LastPass AD Connector service to provision federated users.

There is a custom attribute name mismatch between the LastPass Admin Console and the AD FS plugin – Learn how to fix this.

Windows Event Log Error: Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0017: Attribute store 'LastPassAttributeStore' is not configured.

How to fix this:

Windows Event Log Error: Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://accounts.lastpass.com/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.

How to fix this:

Windows Event Log Error: Microsoft.IdentityServer.Web.InvalidScopeException: Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOMAIN\USERNAME for relying party trust 'https://accounts.lastpass.com/'

How to fix this:

  • Check the user's Relying Party Trust and Issuance Authorization Rules (Windows Server 2012) or Access Control Policy (Windows Server 2016) on the AD FS server.
    1. Log in to your primary Active Directory Federation Services (AD FS) server
    2. Navigate to your AD FS Management Settings.
    3. Go to Trust Relationships > Relying Party Trust in the left navigation, then follow the next steps based on your AD FS server version:
      • AD FS Server 3.0 – Windows Server 2012 R2
        1. In the "LastPass Trust" section in the right navigation, click Edit Claim Rules....
        2. Select the Issuance Authorization Rules tab and set your desired rule.
      • AD FS Server – 4.0 Windows Server 2016
        1. In the "LastPass Trust" section in the right navigation, click Edit Access Control Policy....
        2. Set your desired policy.

"Please contact your company administrator for help" after logging in as a federated user

How to fix this: