Dear All:
Currently our SharePoint is using mix authentication mode (claim mode with two authentcation providers)
Windows-NTLM & ADFS2.0
The ADFS'a identity store is same as SharePoint's domain, it means we have only a single AD, NTLM authentication provider is used for users who are in office, ADFS authentication provider is used when they are at home. (The same credential)
When users opens SharePoint, it prompts a page to let user to select which authentication provider they want to use (NTLM or ADFS).
The question is when the same user login by using NTLM or ADFS, the user will be treated as a different user
For example:
UserA login by using NTLM, his identity claim looks like: Domain\UserA
UserA login by using ADFS, his identity claim looks like: i:05.t|saml provider|userA@domain.com
The profile and permissions of this user will be different
Is there a way to treat the user as the same user no matter login by ADFS or NTLM ?
I know if we remove the NTLM authentication provider, only use ADFS can solve this problem, but the client don't want to do this, because
The SharePoint is upgraded from 2007 (Classic mode) and it has a huge number of existing users, resources, permissions.
After upgraded to the claim mode, SharePoint automatically used the NTLM authentication provider.
If we removed the NTLM authentication provider, the client has to reset all permissions in SharePoint again, for example:
-----------------------------
A ListItem's Permission:
1. In SharePoint 2007 Classic Mode:
Domain\UserA -- Full Control
2. After upgraded to SharePoint 2010 and upgraded to Claim Mode, the client didn't need to reset the permission
Domain\UserA -- Full Control
3. If we remove the NTLM authentication provider, the client have to reset the permission
i:05.t|saml provider|userA@domain.com -- Full Control
--------------------------------------
Any ideas would help,
Thanks a lot!
- Edited by Vincent 2013 Friday, August 24, 2012 6:59 AM change some line