Share-n-dipity

SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

Hiding Default Authentication Providers in SharePoint 2010

Hiding Default Authentication Providers in SharePoint 2010

  • Comments 4
  • Likes

A scenario that is happening more frequently in SharePoint 2010 is using a single zone for multiple authentication providers.  One of the reasons folks do this is because they want to use a some type of claims authentication - like FBA or SAML - but they also want to add Windows claims so that the zone can be indexed by the SharePoint crawler.  The problem with that approach is two-fold:

  1. Users see a login selection page where they need to select either Windows or some other type of authentication
  2. When users are added to a site (or really any operation is performed that invokes the people picker), they will see Active Directory users in the picker results along with users for the claims authentication providers they are using.

So, what can we do about that?  Well to solve the first problem, we can write a custom login selection page.  I've covered that scenario already in my posting at http://blogs.technet.com/b/speschka/archive/2011/04/30/bypassing-the-multi-authentication-provider-selection-page-in-sharepoint-2010.aspx.  But what about the second item - hiding AD users from showing up in people picker search results?  In comes the April 2011 CU to the rescue! <QUICK NOTE: You may experience some issues with this in the April CU; the June CU will have an updated version.  Your mileage may vary so please feel free to test.>  Once you've applied the CU you will see that your SPClaimProviderDefinitions now include a new property called "IsVisible".  You can simply set this to false for the Active Directory provider and it will no longer show up when you use the people picker.

Here's a little PowerShell snippet that shows you how to do this:

$cpm = Get-SPClaimProviderManager
$ad = get-spclaimprovider -identity "AD"
$ad.IsVisible = $false
$cpm.Update()

A couple of things to note:

  1. The PowerShell command Get-SPClaimProvider actually returns an SPClaimProviderDefinition, so you're good there.
  2. The identity "AD" is used because that's the internal name of the Active Directory provider.

In my limited testing I didn't even have to do an IISRESET after making this change; I could just go in and Active Directory no longer showed up in the list of authentication providers in the left pane of the people picker.  Conversely when I changed it back it started showing up again immediately without an IISRESET.

At this time the biggest limitation with this is that it does not appear you can enforce this setting on a per-zone basis, which would be ideal.  If I find out otherwise about that I will update this post.

 

 

 

Comments
  • Hi

    I have a problem in SharePoint regarding to claim-based authentication that is not related to this post but I really appreciate it if you help me. I've asked it in Microsoft TechNet but nobody has aswered it yet. (social.technet.microsoft.com/.../4841dcc8-c69a-40d8-8dcb-6f77c17a46a3)

    I've created a custom claim provider to augment claims of our AD domain users. It works properly but I need to change claims of a user based on some conditions during a session. The problem is that FillClaimsForEntity method is called just once per session. Is there any way to make SharePoint calls it on demand?

  • Do either of these CUs take care of the duplicate My Site/My Profile entries in the User drop-down menu or do you see that?

  • Hi,

    Do you know if it is possible to configure SharePoint 2010 in multi-tenant mode to work with ADFS without having users prompted to select the authentication provider that is associated with the tenant?

  • Hi Steve,

    Is it ok if I also set the IsEnabled flag to false. i.e. $ad.IsEnabled = $false .

    The reason why I want to do this is because I have a farm in which I have a trust from my farm domain to about a 100 other domains/forests. In this setting using the default AD Claim provider and usign the people picker is just not feasible in terms of performance so instead what I want to do is have a custom AD claims provider that uses UPA that has aggregated the data from 100 other forests and use that as the source for searching/resolving users. So as part of this I want to disable the default claims povider.

    is this approach feasible?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment