Hiding Default Authentication Providers in SharePoint 2010

  • Article

A scenario that is happening more frequently in SharePoint 2010 is using a single zone for multiple authentication providers.  One of the reasons folks do this is because they want to use a some type of claims authentication - like FBA or SAML - but they also want to add Windows claims so that the zone can be indexed by the SharePoint crawler.  The problem with that approach is two-fold:

  1. Users see a login selection page where they need to select either Windows or some other type of authentication
  2. When users are added to a site (or really any operation is performed that invokes the people picker), they will see Active Directory users in the picker results along with users for the claims authentication providers they are using.

So, what can we do about that?  Well to solve the first problem, we can write a custom login selection page.  I've covered that scenario already in my posting at https://blogs.technet.com/b/speschka/archive/2011/04/30/bypassing-the-multi-authentication-provider-selection-page-in-sharepoint-2010.aspx.  But what about the second item - hiding AD users from showing up in people picker search results?  In comes the April 2011 CU to the rescue! <QUICK NOTE: You may experience some issues with this in the April CU; the June CU will have an updated version. Your mileage may vary so please feel free to test.>   Once you've applied the CU you will see that your SPClaimProviderDefinitions now include a new property called "IsVisible".  You can simply set this to false for the Active Directory provider and it will no longer show up when you use the people picker.

Here's a little PowerShell snippet that shows you how to do this:

$cpm = Get-SPClaimProviderManager
$ad = get-spclaimprovider -identity "AD"
$ad.IsVisible = $false
$cpm.Update()

A couple of things to note:

  1. The PowerShell command Get-SPClaimProvider actually returns an SPClaimProviderDefinition, so you're good there.
  2. The identity "AD" is used because that's the internal name of the Active Directory provider.

In my limited testing I didn't even have to do an IISRESET after making this change; I could just go in and Active Directory no longer showed up in the list of authentication providers in the left pane of the people picker.  Conversely when I changed it back it started showing up again immediately without an IISRESET.

At this time the biggest limitation with this is that it does not appear you can enforce this setting on a per-zone basis, which would be ideal.  If I find out otherwise about that I will update this post.