Hide AD claims provider in a specific web app
https://sharepoint.stackexchange.com/questions/167468
-
07-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We have set up ADFS in our QA environment and we have everything sorted out except for one issue.
Our environment:
We have four web apps, not including central admin
- 2 web apps using ntlm, they are both public and allow anonymous access.
- My sites, using ADFS and ntlm
- Default SharePoint web app, using ADFS and ntlm
I left ntlm turned on in both our default web app and my sites because search requires ntlm. I have read about extending the web app and setting up server mapping in search, then shutting off NTLM, but have also read from an msdn blog that this is not recommended. Search has issues when it isn't crawling the default zone.
Finally, I have a custom claims provide from codeplex that allows the people picker to resolve ADFS names:
The only issue I am struggling with now is the people picker is showing both ADFS and NTLM accounts. I found a powersehll script that hides the AD provider:
$cpm = Get-SPClaimProviderManager
$ad = get-spclaimprovider -identity "AD"
$ad.IsVisible = $false
$cpm.Update()
but it appears this impacts the entire farm, including the public web sites and central admin. I am not so much worried about central admin but I can't turn it off for the public web sites. At the same time, having two people picker accounts in our default web app is going to cause issues. I can guarantee that users will select the wrong (ntlm) account when adding permissions or selecting users in list items.
Is there any way to selectively hide the AD provider for one web app and not another (within the same farm), or will I have to create a new, separate farm to host the public web sites?
La solution
Steve,
What you probably want to do is extend both of your web apps to another zone (such as Internet) and disable NTLM authentication from that zone. That should prevent users from confusing users in the People Picker since only ADFS Auth will be enabled (and thus resolve through the people picker).
However, leave NTLM activated on the default zone for search purposes.
I hope this helps!
Raphael.
