This project has moved and is read-only. For the latest updates, please go here.

Don't show Windows Accounts in the people picker when SAML and AD auth are enabled on a zone?

Dec 17, 2015 at 5:31 PM
It's possible I am doing something wrong but I've read a about how when you extend your web app to have a Windows Auth zone to support search crawls when your users all use SAML auth, this can lead to issues.

We've got a solution in place that allows Windows Authentication and SAML Authentication where if a user browses to the site it only prompts them with the SAML based login form. So we are 90% of the way there.

The issue we are running into is that when you use the people picker it is showing both Windows and SAML accounts, which in many cases will result in "duplicate" records leading to an issue where users won't know which "John Smith" to pick and its unrealistic to train them and expect them to pick the SAML "John Smith."

Is there a way that already exists with LDAPCP (or out of the box SharePoint that I'm overlooking) to not show the Windows Authentication accounts? Windows Auth is only for the search crawl account. If not what is the best practice for handling this scenario?

Dec 30, 2015 at 4:16 PM
I think I did this a long time ago but I'm not sure about the final conclusion.
Can you try this and let me know if it works:
$cpm = Get-SPClaimProviderManager
$ad = Get-SPClaimProvider -Identity "AD"
$ad.IsVisible = $false
You should check for potential side effect like crawling for example.
Feb 4, 2016 at 10:30 PM

have you ever tried Yvand solution and how it work out for you?


Aug 8, 2016 at 3:44 PM
I can verify that Yvan's solution is correct.
I have my environment set up that way.