none
Disabling access to user information list for external users RRS feed

  • Question

  • Greetings,

    I have a web application that uses Windows authentication for internal users and a custom identity provider(trusted issuer token service) for external users. I would like to have a way to restrict the external users from seeing the details of my internal users when using people picker or through any other means.

    I disabled the sharing functionality(which could have allowed them to see the internal users) and also restricted access to userdisp.aspx and people.aspx from web.config.

    I could also make sure that my web app doesn't use any people picker but is there any way to restrict this? Are there any other features that could expose my internal AD users?

    Many thanks,

    Adrian  


    Wednesday, June 26, 2019 9:40 AM

Answers

  • Hi Adrian,

    There are two methods for your reference:

    1. Try to use the PowerShell to hide AD provider, however this will hide in entire farm. You can extend the website to different zone, then disable NTLM Authentication.

    $cpm = Get-SPClaimProviderManager
    
    $ad = get-spclaimprovider -identity "AD"
    
    $ad.IsVisible = $false
    
    $cpm.Update()


    Reference: Modify PeoplePicker to remove AD results and only show SAML Claims?

    2. Create a new OU in AD and move internal users to this OU, then use LDAP queries to exclude users from relevant OU in People Picker.

    Reference: Filter Active Directory accounts by using LDAP queries

    Best regards,

    Grace Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    • Marked as answer by Adrian Ganea Thursday, June 27, 2019 8:34 AM
    Thursday, June 27, 2019 8:21 AM
    Moderator

All replies

  • Actually, I found this property on the web application object that should do exactly what I intend, but it doesn't seem to work in my environment. It still brings up my active directory users.

    $wa.PeoplePickerSettings.NoWindowsAccountsForNonWindowsAuthenticationMode=$true

    Any idea why?

    Wednesday, June 26, 2019 1:40 PM
  • what is the error your getting and what is the script you tried ? did you provided $wa = web app URL ?

    Try the below command :

    stsadm -o getproperty -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -url <Web application URL>


    sharath aluri


    Wednesday, June 26, 2019 1:47 PM
  • Thanks Sharath, I don't get any errors, the propery gets successfuly set to true but it does't seem to have any effect. If I log in with an external account, I still see all my internal users when trying to assign permissions or if using a people picker. From my understanding, if the prop is set to true, a non windows user should not see my AD users, right?

    Regards,

    Adrian

    Wednesday, June 26, 2019 7:03 PM
  • I think that applies only to SharePoint 2007 only.

    https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-2007-products-and-technologies/cc263264(v=office.12)

    My bad Sorry that is just for get command but i am surprised it's showing yes and still not you were able to see.

    Try the below command:

    stsadm -o setproperty -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes -url <Web App Url>

    Below articles for your references:

    https://blog.bugrapostaci.com/2010/12/08/sharepoint-restrict-peoplepicker-filter-shows-only-forms-authentication-users/

    https://spramesh2010.wordpress.com/page/3/

    Thanks & Regards,


    sharath aluri


    Wednesday, June 26, 2019 7:20 PM
  • No, it applies to SharePoint 2016, too, because I can see the property on the web app object.

    However, looking at the ULS entries below it seems that SharePoint sees my token as a windows user(which is not) so I believe that this is the cause of my issue. 

    Any idea why this happens?

    35:21.4 w3wp.exe (0x62D4)                        0x5160 SharePoint Foundation          Claims Authentication          a1n25 High     Token is for a windows account.
    35:21.4 w3wp.exe (0x62D4)                        0x5160 SharePoint Foundation          Claims Authentication          avqtc Medium   Exception from site settings manager, EveryoneClaimEnabled default to True : Exception System.ArgumentNullException: Value cannot be null.  Parameter name: siteSubscription     at Microsoft.SharePoint.SPSiteSubscriptionSettings.GetSettings(SPSiteSubscription siteSubscription)     at Microsoft.SharePoint.Administration.Claims.SPAllUserClaimProvider.GetClaimVisibilitySetting(String siteSubscriptionKey, SPSiteSubscription siteSubscription)
    35:21.4 w3wp.exe (0x62D4)                        0x5160 SharePoint Foundation          User Key                       ayswp High     Successfully got user key for user. User key and userNameSuffix are identical. UserNameSuffix: '05.t|asf identity provider|ganea4@gmail.com'.

    Regards,

    Adrian

    Thursday, June 27, 2019 6:50 AM
  • Hi Adrian,

    There are two methods for your reference:

    1. Try to use the PowerShell to hide AD provider, however this will hide in entire farm. You can extend the website to different zone, then disable NTLM Authentication.

    $cpm = Get-SPClaimProviderManager
    
    $ad = get-spclaimprovider -identity "AD"
    
    $ad.IsVisible = $false
    
    $cpm.Update()


    Reference: Modify PeoplePicker to remove AD results and only show SAML Claims?

    2. Create a new OU in AD and move internal users to this OU, then use LDAP queries to exclude users from relevant OU in People Picker.

    Reference: Filter Active Directory accounts by using LDAP queries

    Best regards,

    Grace Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    • Marked as answer by Adrian Ganea Thursday, June 27, 2019 8:34 AM
    Thursday, June 27, 2019 8:21 AM
    Moderator
  • Thanks again, Grace! 

    Indeed, I've done some research and Option 2 seems to be the valid one for me. However, I am thinking of adding some of my internal users to a domain group and use that as the search filter because I still want a few internal users to be added to my site.

    Regarding option 1, hiding the AD provider for the entire farm is not viable. However, extending the web app to a different zone is how I had first started, but then I ran into some issues with the links inside workflows' email notifications(e.g. external users would have been sent to the internal Url) and I gave up. Perhaps I should revisit this option.

    Many thanks,

    Adrian

    Thursday, June 27, 2019 8:44 AM