Hiding Default Authentication Providers in SharePoint 2010

A scenario that is happening more frequently in SharePoint 2010 is using a single zone for multiple authentication providers.  One of the reasons folks do this is because they want to use a some type of claims authentication – like FBA or SAML – but they also want to add Windows claims so that the zone can be indexed by the SharePoint crawler.  The problem with that approach is two-fold:

  1. Users see a login selection page where they need to select either Windows or some other type of authentication
  2. When users are added to a site (or really any operation is performed that invokes the people picker), they will see Active Directory users in the picker results along with users for the claims authentication providers they are using.

So, what can we do about that?  Well to solve the first problem, we can write a custom login selection page.  I’ve covered that scenario already in my posting at http://blogs.technet.com/b/speschka/archive/2011/04/30/bypassing-the-multi-authentication-provider-selection-page-in-sharepoint-2010.aspx.  But what about the second item – hiding AD users from showing up in people picker search results?  In comes the April 2011 CU to the rescue! <QUICK NOTE: You may experience some issues with this in the April CU; the June CU will have an updated version.  Your mileage may vary so please feel free to test.>  Once you’ve applied the CU you will see that your SPClaimProviderDefinitions now include a new property called “IsVisible”.  You can simply set this to false for the Active Directory provider and it will no longer show up when you use the people picker.

Here’s a little PowerShell snippet that shows you how to do this:

$cpm = Get-SPClaimProviderManager
$ad = get-spclaimprovider -identity “AD”
$ad.IsVisible = $false
$cpm.Update()

A couple of things to note:

  1. The PowerShell command Get-SPClaimProvider actually returns an SPClaimProviderDefinition, so you’re good there.
  2. The identity “AD” is used because that’s the internal name of the Active Directory provider.

In my limited testing I didn’t even have to do an IISRESET after making this change; I could just go in and Active Directory no longer showed up in the list of authentication providers in the left pane of the people picker.  Conversely when I changed it back it started showing up again immediately without an IISRESET.

At this time the biggest limitation with this is that it does not appear you can enforce this setting on a per-zone basis, which would be ideal.  If I find out otherwise about that I will update this post.

 

 

 

One thought on “Hiding Default Authentication Providers in SharePoint 2010

  1. If we set the active directory provider to false. this will be applied to all the web application in the Farm ? can we do it selectively for one web application in the farm and other web application uses the default one.

    As I have written a custom claim provider to just show filtered AD users based on some business logic. But in the people picker it shows users filtered by custom claim provider and users from AD provider.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s