This project has moved and is read-only. For the latest updates, please go here.

Due to limitations of SharePoint API, do not associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuer

Jan 20, 2016 at 3:43 PM
What is the reason for which the solution has been developed with the limitation?

In our project we are in the need to develop the solution with the possibility of associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuerassociations.

Until we start the development would need to know if it is possible to carry out functionality, complexity, etc.

Jan 22, 2016 at 12:29 PM
Edited Jan 22, 2016 at 12:30 PM
this limitation is caused by SharePoint and impacts every claim provider: basically a claims provider doesn't know with which SPTrustedIdentityTokenIssuser it is associated.
So the best thing a claims provider can do is to browse all SPTrustedIdentityTokenIssuser and check with which one it is associated. If there is more than 1 then this check becomes invalid...
Feb 1, 2016 at 8:23 PM
Edited Feb 1, 2016 at 8:47 PM
Hi Yvand

I have 2 Trusted Identity Token Issuer
TrustedID1 and TrustedID2

After associated with TrustedID1, and everything is working. I know about this warning but accidently associate LDAPCP again with the other TrustedID2. after that I can no longer access any web site (authenticate with Trusted Identity Token Issuer)

I have tried to removed followed "HOW to remove LDAPCP" steps and then reinstalled and deployed the solution successfully.
I had associated LDAPCP to TrustedID1 token issuer

but I still see this message in LDAPCP configuration page

"LDAPCP is currently not associated with any TrustedLoginProvider. It is mandatory because it cannot create permission for a trust if it is not associated to it.
Visit to see how to associate it.
Settings on this page will not be available as long as LDAPCP will not associated to a trust

I check again with Get-SPTrustedIdentityTokenIssuer| ft Name, ClaimProviderName
and still see LDAPCP in both TrustedID1 and TrustedID2.

How do I remove LDAPCP from TrustedID2 token issuer

Thanks in advance for any advice that you can give to help me to clean this up.

Feb 2, 2016 at 5:56 PM
I got this resolved. the only way to unregister the claim provider is to remove the Trusted Token Issuer and re-create it new again

I should not need to remove LDAPCP at all

I am good now

Feb 4, 2016 at 1:36 PM
I agree with you, but this is entirely caused by SharePoint that doesn't offer a convenient way to remove a claims provider from a SPTrustedIdentityTokenIssuser
Apr 20, 2016 at 7:55 AM
but you were able to associate LDAPCP with more than 1 SPTrustedIdentityTokenIssuerassociations.
If yes, Please let me know detailed steps you have done.
I am not able to associate
Apr 21, 2016 at 4:11 PM
Hello, again, LDAPCP will not work if it is associated to several SPTrustedIdentityTokenIssuser: there is code that checks this and LDAPCP deactivate itself if so.
And it does so for very good reason: SharePoint does not let LDAPCP know for which trust it is currently called, and this information is vital to work correctly.