SharePoint PeoplePicker and ADAM
One of the comments on my PeoplePicker post asked some questions about the way PeoplePicker works with ECTS – the External Collaboration Toolkit for SharePoint. To be honest, I haven’t worked with the ECTS myself, but I understand the theory.
The ECTS uses Microsoft’s ADAM – Active Directory Application Mode – to act a a user repository, which gives you a SharePoint structure that should resemble the following:
External Collaboration Toolkit for SharePoint Architecture
Getting the PeoplePicker to work correctly with this is difficult, but not impossible. The question asked was what could cause the PeoplePicker to fail to return AD users when logged in as an external user? Of course, as is often the case with comments on blogs, there really isn’t anywhere near enough information about the setup to answer accurately.
My first guess would be that the PeoplePicker has actually been deliberately configured that way. It is a potentially huge security risk to allow external users to see all the usernames of your company, which is why many people using ADAM authentication run the following command:
stsadm -o setproperty -url https://<url> -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes
This command deliberately stops PeoplePicker returning internal AD users when logged in via forms based authentication outside of windows, including using ADAM. You can tell if this is turned on by running:
stsadm -o getproperty -url https://<url> -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode
If this is the problem, you can turn the security feature off by running:
stsadm -o setproperty -url https://<url> -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv no
And your PeoplePicker should leap back into life for all users.
However, there are still some quirks with using the PeoplePicker with ADAM, even if AD users are allowed to respond. Take a look at Matt Morse’s excellent blog on how the PeoplePicker returns different results from ADAM than you might expect if you are used to working with normal windows authentication.
EDIT:-
As always, after applying stsadm commands to your SharePoint installation, don’t forget to either reset IIS or the relevant application pool.
Thanks for your help Rob:)
need one more help.
when i log in with external user or domain user and seach for external user(only with the name for example:chandrika) then i get the user only when user is added in the site.if user is not added in the site then i don’t get that user in results.
when i search using the complete email id(for ex: chandrika.g@gmail.com)then i get the user listed in result.
i need to get the all the users as get when i search for domain users with name even if they are not added in the site.
Hi Rob,
do i need to import the profiles of the “ADAM” users in central admin to get them displayed even if they are not added in the site?
i face the same problem when i log in with domain user also.
when i log in the to the site(as domain user)and search fr external users then they are listed only if they are added to the site.
no results if not added(but user will be there in adam databse).
when i search by entering the entire email id then i am getting the user.
a user need not remember entire email id of the external user right?
@Chandrika Have you read:
http://kipper.org.uk/index.php/2009/05/sharepoint-peoplepicker-and-adam-continued/