Can people picker resolve NTLM users in an FBA extended site

3
votes

We have a SharePoint 2010 extranet web application that uses claims authentication.

  • The Intranet zone is using mixed authentication (NTLM against internal AD and FBA against a separate AD).
  • The Extranet zone uses FBA only against the separate AD.

We have sites that have NTLM users in the Members SharePoint group. We have librarys with "Person" colums limited to the Members group. We would like to allow FBA users to pick NTLM users that are in the Members group when fillng in item metadata. The problem is that the FBA users can see the NTLM users in the people picker but when they select them, the user is not resolved. I realize we could probably work around this by adding NTLM to the Extranet zone but prefer not to do this if possible.

My questions are:

Is this a scenario where a custom claims provider would be appropriate?

Is this a problem that could be resolved with the peoplepicker-searchadforests property? (I've not been able to get my head around a real world example where this property is in play)

1
sharepoint

1 Answers

1
votes

This is how I understood that the people picker works. I'm not 100% sure so don't take it for absolute truth :)

Basically, in the context of the Extranet application, all standard pickers are completely unaware that the internal AD exists. The "hits" you get in the people picker are found in SiteUsers list and/or profile database.

"Is this a problem that could be resolved with the peoplepicker-searchadforests property?" I don't think so, I think that even if you are able to make the people picker search other ADs might give some pretty weird results, like being able to add a persons permission to some object, but with the FBA claim prefix, which does not equal the user when logged in using NTLM. (A user signed in with NTLM and Claims is technically different users.)

"Is this a scenario where a custom claims provider would be appropriate?" I don't think so :(

One trick that you can do for people picker that YOU create (i.e. you have a custom page or webpart or something with a people picker), there are several properties you can set to change from where the users are retrieved. For example you can set a property like "WebApplication" or similar that basically make the picker work as if in the context of the internal application despite the current user being logged in on the external app.

What I'm thinking is maybe there is some way to enable the NTLM membership provider on the extranet application, but without actually enabling end user authentication with it. It doesn't sound impossible but I'm not sure exactly how that would be done though.