With Forms Authentication, People picker is unable to get the Display Name of the user account when using the "Check Name" option
Issue:
Consider that I have a user called Pradeep Anchan (sharePointo12\pa)
Display Name : Pradeep Anchan
User account: sharePointo12\pa
LDAP membership : ldapmembership:pa
Log on to the Forms Authentication site and locate a Peoples column, now try to resolve the user "pa" and it would resolve to the PA itself which is the user account and does not get the display name of the user account.
Ex:
Goal is to get the Display name of the user account when using Forms authentication site.
Lets look at it from a NTLM site and how this works.
Resolve a user by "Check name" option for peoples column. And look at the how the request is served
SharePoint's Request:
1. ProtocolOp: searchRequest (3)
2. Filter: (objectSID=01:05:00:00:00:00:00:05:15:00:00:00:24:fe:2c:0b:69:b8:41:35:b3:9f:0e:e7:5f:04:00:00)
So we are looking for a user SID from the AD and that’s the filter which we use to get the user information.
3. Attributes that we request are : 11 items
AttributeDescription: objectSID
AttributeDescription: mail
AttributeDescription: displayname
AttributeDescription: title
AttributeDescription: department
AttributeDescription: proxyaddresses
AttributeDescription: cn
AttributeDescription: samAccountName
AttributeDescription: groupType
AttributeDescription: userAccountControl
AttributeDescription: distinguishedName
Response from the Server:
1. protocolOp: searchResEntry (4)
2. Attributes sent back from the server (attributes: 6 items)
PartialAttributeList item cn (Value = Pradeep Anchan)
PartialAttributeList item distinguishedName (Value = CN=Pradeep Anchan,CN=Users,DC=SharePointO12,DC=com)
PartialAttributeList item displayName (Value = Pradeep Anchan)
PartialAttributeList item userAccountControl (Value = 66048)PartialAttributeList item objectSid (Value = SID: S-1-5-21-187498020-893499497-3876495283-1119)
PartialAttributeList item sAMAccountName (Value = pa)
So while requesting for the user info from the AD, we do request for the Display name and get a response as well.
Now for the Forms Authentication site:
Request from sent:
1. Search Filter used when we try to resolve the user using forms auth
(&(|(ObjectCategory=group)(ObjectClass=person))(sAMAccountName=pa))
2. Attributes that we request are : 4 items
AttributeDescription: distinguishedName
AttributeDescription: samAccountName
AttributeDescription: mail
AttributeDescription: cn
Response from the Server: Attributes sent back from the server (attributes: 3 items)
PartialAttributeList item cn (Value = Pradeep Anchan)
PartialAttributeList item distinguishedName (Value = CN=Pradeep Anchan,CN=Users,DC=SharePointO12,DC=com)
PartialAttributeList item sAMAccountName (Value = pa)
So its very clear that we don’t request for the Displayname while querying for the user using the Forms Auth.
However, we do use the Stored Proc (proc_SecResolvePrincipal) to resolve the users name from the content Database for that Site, So if the user account is not present then we relay on the People Picker to get the display name in case of NTLM.
For the Forms Authentication site we need the UserInfo table in the Content Database to be updated with the Display name for the user accounts. There are a few ways to updated it, 1) By configuring LDAP profile Import and 2) Using OM code to update the users Display name.
Ex: Updated userinfo with the display name for the user account:
Since we use the Stored Proc against the Content Database to resolve the user accounts principal , We need to use ldapmembership:username format to resolve the full displayname (assuming the display name) has been synced OR has been updated using OM.