We have set up ADFS in our QA environment and we have everything sorted out except for one issue.
Our environment:
We have four web apps, not including central admin
- 2 web apps using ntlm, they are both public and allow anonymousaccess.
- My sites, using ADFS and ntlm
- Default SharePoint web app, using ADFS and ntlm
I left ntlm turned on in both our default web app and my sites because search requires ntlm. I have read about extending the web app and setting up server mapping in search, then shutting off NTLM, but have also read from an msdn blog that this is not recommended. Search has issues when it isn't crawling the default zone.
Finally, I have a custom claims provide from codeplex that allows the people picker to resolve ADFS names:
The only issue I am struggling with now is the people picker is showing both ADFS and NTLM accounts. I found a powersehll script that hides the AD provider:
$cpm = Get-SPClaimProviderManager$ad = get-spclaimprovider -identity "AD"$ad.IsVisible = $false$cpm.Update()but it appears this impacts the entire farm, including the public web sites and central admin. I am not so much worried about central admin but I can't turn it off for the public web sites. At the same time, having two people picker accounts in our default web app is going to cause issues. I can guarantee that users will select the wrong (ntlm) account when adding permissions or selecting users in list items.
Is there any way to selectively hide the AD provider for one web app and not another (within the same farm), or will I have to create a new, separate farm to host the public web sites?
