Step #3: Check your AD users' permissions

Confirm that two users in your Active Directory environment have the appropriate permissions for the custom attribute.

The following users must have read and write access for the custom attribute:

The AD user that runs the LastPass AD Connector (which populates the custom attribute at the time of provisioning)
The AD user that runs the AD FS service (AD FS calls into the Custom Attribute Store, which reads the custom attribute at the time of the login)

Both users must have the CONTROL ACCESS permission in order to access the custom attribute marked as CONFIDENTIAL. If the users don't have this permission, it must be set. You can check your users' permissions in either of the following ways:

Using the LDP tool

About this task:

The Windows Server operating systems have a built-in tool that allows you to check the permissions of your AD users based on their group membership.

On your Active Directory server, run ldp.exe and confirm that the assigned group of the AD user has CONTROL ACCESS enabled.

Using the dsacls command

About this task:

You can run the "distinguishedName of the custom attribute" command to check the permissions of your AD users:

On your Active Directory server, run the Command Prompt as an administrator.
Enter the following command: dsacls.
Confirm that the CONTROL ACCESS permission is assigned.

Parent article: Troubleshooting federated login for Active Directory Federation Services (AD FS)

Previous article: Step #2: Check your firewall settings

Next article: Step #4: Check that the AD FS plugin is installed and registered with the correct custom attribute value