Wednesday, April 23, 2014

How to Filter SharePoint People Picker to Increase Extranet Security

You have successfully configured your secure extranet (using Extranet CollaborationManager (ExCM)) ensuring that all permissions were set correctly and even configuring separate "roles" to keep your external users from being added to SharePoint Groups. Now, there is no way that an external user can gain access to anything they are not supposed to see, right? Wrong!

 If Samantha from your Human Resources Department needs to add Bobby Jones, from her Marketing Department, to a document and she uses the SharePoint People Picker to find the name, that external user could still show up and be given  permissions to the "internal eyes only" report. See the image below displaying both the intended internal Bobby Jones and the external

Or, say you are utilizing the Site Sponsor feature of ExCM and your external business partner uses the People Picker to look for additional users to make Site Sponsors in their organization. The business partner will not only see users they have access to manage,  but they will also be able to see all the users that People Picker can see... internal AD users as well as other external users.

This seems like a flaw in SharePoint's People Picker.

However, People Picker was built this way for good reason: to ensure that it returns the right results for you. It looks everywhere to ensure that it gets the most results when you need it to find someone, bypassing all security measures you had in place, in an extranet scenario using forms-based authentication for external users.

There is good news, however. According to this TechNet article, ( ) the People Picker can be configured to "filter and restrict the results that are displayed when a user searches for a user, group or claim".

 I will walk you through the steps used to apply this filter, but be sure to read the important note at the end as this may not be exactly the solution you are looking for.

So what is the best way to ensure that your extranet users never see any users listed anywhere in SharePoint other than users from their organization and your internal users that are collaborating with them?

Answer: First, create separate Site Collections for each external business partner organization.  Second, use the “stsadm setproperty” command to force People Picker to pick only from users in the current Site Collection.

According to the article mentioned above, you can force People Picker to only return users who have permissions in the current Site Collection by using either the PeoplePicker-Peopleeditoronlyresolvewithinsitecollection property or the PeoplePicker-Onlysearchwithinsitecollection property.

The property you use to configure this restriction will depend on whether you want to set the restriction for the text box (called the “People Editor”) and Check Names button, or for the Select People and Groups dialog box. Both are covered in this article.

The first thing we need to do is open a cmd prompt and change directory to the “Common Files\Microsoft Shared\Web Server Extensions\15\bin” directory as seen here:

Next, we will use the “getproperty” command of stsadm to see if the filter is currently turned on. (Note: if you have built your SharePoint farm and never adjusted this filter, then chances are you can skip this step, though not many of us are as lucky as you and have instead inherited our environments and must check these things. J)

The command will look like:
stsadm -o getproperty -propertyname peoplepicker-onlysearchwithinsitecollection -url <Web App URL>
as shown below:

From the results we can see that the "only search within site collection" filter does exist, but the value is set to "no" so it is not turned on.

In my test environment, Bobby Jones is an AD user and is an external user. If I log into my secure extranet as Sally and add a site sponsor, and I type Bobby into the People Picker field, it will return Bobby Jones from my AD. This is not the desired result, as I do not want my external users to be able to see or select my internal AD users who do not have permissions in the current Site Collection.

To force People Picker to only return users who have permissions in the Site Collection when the Select People and Groups dialog box is used, type the following command:

stsadm -o setproperty –pn peoplepicker-onlysearchwithinsitecollection –pv yes –url <Web application URL>

Now, if we run the “getproperty” command again, we should see the value has changed to "yes":

If we go back and look for Bobby in my AD from People Picker, we'll see different results. He still shows up if I type his name into the People Editor text box and click the Check Names button; however, he will not show up when the Select People and Groups button and dialog is used:
We’ve made progress! J

Now we need to finish the job by restricting the People Editor text box and the Check Names button.

To force People Picker to only return users who have permissions in the Site Collection when the Check Names button is clicked, type the following command:

stsadm -o setproperty –pn peoplepicker-Peopleeditoronlyresolvewithinsitecollection –pv yes –url <Web application URL>

Now, if I type the username Bobby into my People Editor text box, and hit enter (which is equivalent to clicking Check Names), I will get:

* IMPORTANT NOTE * Once you apply these filters, you will not be able to use People Picker to find new users to give permissions to the Site Collection. If you are configuring People Picker for use in an extranet scenario with ExCM, you will need to ensure that you have an ExCM Security Policy setting configured for the Site Collection that automatically adds all new invited external users to the Visitors SharePoint Group. (or any SharePoint Group that you wish)  Adding external users to SQLMembershipProvider Roles will not work in this scenario as users  added to Roles only, will not allow them to show up in People Picker even though their Role may have been given permissions to the Site Collection.

What if you set all of this up and then determine that it does not work exactly like you need it to?  Can you set it back to the out-of-the-box configuration?

Yes. To remove the People Picker filter(s), place open quotes (" ") in the -pv switch

There are many more filters that you can apply to fit your environment, and I would welcome any reader to post a comment on how these filters have been used by you, or your organization, and how they have helped or hindered your situation.

For more information, see Peoplepicker-onlysearchwithinsitecollection: Stsadm property ( and Peoplepicker-peopleeditoronlyresolvewithinsitecollection: Stsadm property (SharePoint Server 2010).

Note:  even though the TechNet article referenced indicates that it is for SharePoint Server 2010, the commands also work as described for SharePoint 2013.

No comments: