I have a post about the Migration from Windows to ADFS which utilizes the creation of the -UseDefaultConfiguration switch. A few days ago, I created a Trusted Identity Provider with -UseDefaultConfiguration. I did not need it in my test farm anymore, so it was time to delete it.
This failed with this exception:
PS C:\windows\system32> Remove-SPTrustedIdentityTokenIssuer foo
Remove-SPTrustedIdentityTokenIssuer : The trusted login provider is in use and cannot be deleted.
At line:1 char:1
+ Remove-SPTrustedIdentityTokenIssuer foo
+ CategoryInfo : InvalidData: (Microsoft.Share...dentityProvider:SPCmdletRemoveSPIdentityProvider) [Remove-SPTrustedIdentityTok
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletRemoveSPIdentityProvider
Only Two Checks
There are only two reasons this exception is tossed when trying to remove the Trusted Identity Token Issuer.
- Use in the web application authentication providers
- Claim Provider with the same name as your Trusted Identity Token Issuer
The first is the obvious choice to check since the Trusted Identity Token Issuer cannot be deleted if used by a web application. If you have numerous web applications with many zones to check, this can take a long time. The PowerShell script below numerates all the web applications and their zones to display the authentications that are enabled in those zones.
#Use this to enumerate all authentication providers in use for every zone for every web application
$log = "C:\logs\authproviders.txt"
$wa = Get-SPWebApplication
foreach($webapp in $wa)
$aams = $webapp.alternateurls
foreach($aam in $aams)
Write-host $webapp.url $aam.zone -ForegroundColor DarkGreen
$url = $webapp.Url
$zone = $aam.Zone
"$url $zone" | out-file $log -Append -noclobber
Get-SPAuthenticationProvider -WebApplication $webapp -Zone $aam.zone
Get-SPAuthenticationProvider -WebApplication $webapp -Zone $aam.zone | Out-File $log -Append -noclobber
Example of the output:
I checked the authentication providers. I have ADFSAdamsor in use and you can see the web application URL and zone at the top. Any that would come up we would just remove the that zone from using the Trusted Identity Token Issuer.
The second check for Remove-SPTrustedIdentityTokenIssuer is Claim Providers that have the same name as the Trusted Identity Token Issuer.
Get-SPClaimProvider will display all the claim providers installed on the farm.
As the screenshot above shows, I have the claim provider that was created with -UseDefaultConfiguration. I was able to remove the claim provider then removed the Trusted Identity Token Issuer.