none
People picker configuration when using forms and windows authentication

    Question

  • Our current configuration:

    • Web App with Default Zone: Windows Authentication only (Claims based Authentication).
    • Extended Web App with Internet Zone: Windows Authentication and FBA (LdapMembership).

    Problem:

    From the web app, when enter a user name in the People picker e.g. “Dave Green” I’m getting “No exact match found”.  I figured out that this is happening because in the internet zone I have both windows authentication and FBA enabled.  Once I click on the “Browse” button I search for that user there, two results are returned:

    Dave Green

    Dave Green

    I select both of them and now in the People Picker they show up as:

    i:0#.f|ldapmember|davegreen

    i:0#.w|csepp\davegreen

     

    So I have a couple of questions:

    Question 1:

    I know that the “no exact match found” message will go away if I turn off Windows authentication for the Internet zone.  But is that the right way to handle this?  When I turned it off, I got the following message:

    If Windows authentication is not selected on any Zone of this Web application, crawling for this Web application will be disabled.

     

    Question 2:

     

    Once I configure it so that only one result gets displayed, what do I need to do so that in People Picker this user (let’s say the ldapmember user) shows up as “Dave Green” as opposed to “i:0#.f|ldapmember|davegreen”

     fyi, the people picker section in the web.config for both the default zone and the internet (https) zone is defined as:

     <PeoplePickerWildcards>
          <clear />
          <add key="LdapMember" value="*" />
          <add key="LdapRole" value="*" />
          <add key="AspNetSqlMembershipProvider" value="%" />
        </PeoplePickerWildcards>

    thanks

    Wednesday, September 11, 2013 6:56 PM

All replies

  • In your internet zone you can turn off windows authentication, because you already have windows auth enabled for the default zone, so search should work fine. You should make effort to stop people from logging in using their windows accounts because when people have multiple accounts, they get confused and it makes the ACLs hard to maintain.

    your forms accounts have both a displayname and an accountname. the accountname i:0#.f|ldapmember|davegreen should only show when you are viewing things like permission lists for sites, lists, items etc. but the displayname should show for group membership and people/group field values. Is this not happening for you?


    Please mark my response as an answer if appropriate.
    Learn.SharePoint.com

    Wednesday, September 11, 2013 7:04 PM
  • 1) You can turn off Windows Auth on the Internet zone given it is active on the Default zone, for crawling purposes

    2) Have you mapped the SPS-ClaimID in the UPA to the login attribute you're using for FBA? http://technet.microsoft.com/en-us/library/gg750254(v=office.14).aspx#section2


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.


    Wednesday, September 11, 2013 7:05 PM
    Moderator
  • Right now in people picker when I click browse, type in "Dave Green" and select that user then back on the people picker page he is showing up as i:0#.f|ldapmember|davegreen, not Dave Green.  Some of our customers are power users and will be assigning permissions to other users and I think seeing the "ldapmember" part might confuse them since until now (in 2007, i.e. before migration to 2010) if they searched for users the results would always be returned as the display name or at least as the login username.
    Wednesday, September 11, 2013 7:53 PM
  • I have SPS-ClaimProviderID mapped to sAMAccountName.  However, right now we do not have the User Profile service enabled for this web application.  For this particular application we do not want users to view or edit their profiles.  What I don't understand is that when I log in as Dave Green then at the top right corner I'm seeing "Welcome Dave Green" but when I go to People picker, then click "Browse" and enter "Dave Green" then that person is found.  Then, I select it and click OK and in the People Picker window now it's showing

    “i:0#.f|ldapmember|davegreen”

    So it seems to me that the system knows that the display name is "Dave Green", right?  Since it's showing it on the main page and it's allowing me to search for that name.  So it's almost like this is some configuration issue for People Picker.

    Wednesday, September 11, 2013 8:04 PM
  • The UPA is needed in order to get information from the data source and push it to the UIL of the site collection in order to have sn/givenName/displayName populated from a non-Windows Auth source.

    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 11, 2013 8:08 PM
    Moderator
  • Sorry, one thing I forgot to mention is that this People Picker is located on our custom .aspx page.  Basically, we have some custom menus defined both at the Site Actions and Actions level and then have custom aspx pages showing up when users click on these custom menus.  The People Picker is located on one of such pages.  Is it possible that after it's placed on the asp page it needs to be configured some way to show Display Names rather then that full “i:0#.f|ldapmember|davegreen”?
    Wednesday, September 11, 2013 8:09 PM
  • When you look at the UIL for Dave Green does he have different values for Account and Name? It sounds like he does. I'm struggling as to why the people picker is using the account value instead of the Display name for the PickerEntity.DisplayName value. Can you try other people pickers, like maybe inside of CA for SCAs or Site Permissions or something?

    Please mark my response as an answer if appropriate.
    Learn.SharePoint.com

    Wednesday, September 11, 2013 8:30 PM
  • Also, this post claims there is a hotfix to solve a problem very much like yours

    http://social.technet.microsoft.com/Forums/en-US/95680016-a81e-4a74-914f-1f7b589813d6/forms-authentication-and-profile-synchronization-using-ldap


    Please mark my response as an answer if appropriate.
    Learn.SharePoint.com

    Wednesday, September 11, 2013 8:36 PM
  • In Central Admin, this user shows up as:

    Account Name: i:0#.f|ldapmember|davegreen

    Preferred Name:  Dave Green

    In UIL the "Name" column shows "Dave Green".  I don't see any Account column on that page.  I'm not familiar with UIL. Is this a column you need to add or do you mean that I click on the link and see what the account name is on the user profile page (I enabled User Profile service application for this site after the feedback from Trevor and ran the synchronization)

    Wednesday, September 11, 2013 10:30 PM
  • If I log in as that user then under My Settings the account name is i:0#.f|ldapmember|davegreen  and the Name is "Dave Green".  When I had both Windows and forms authentication enabled on the Internet zone and searched for that user, then that user showed up both under the Windows authentication and Forms authentication.  If I selected the windows user then the user shows up correctly in People Picker as "Dave Green" but if I selected the forms user (which was returned as "davegreen" i.e. as the login, not the display name) then this user would show up as i:0#.f|ldapmember|davegreen so it looks like this issue is only affecting the forms authentication, which is the one we want to use.
    Wednesday, September 11, 2013 10:47 PM