diff --git a/src/applications/auth/controller/config/PhabricatorAuthEditController.php b/src/applications/auth/controller/config/PhabricatorAuthEditController.php
--- a/src/applications/auth/controller/config/PhabricatorAuthEditController.php
+++ b/src/applications/auth/controller/config/PhabricatorAuthEditController.php
@@ -79,6 +79,7 @@
     }
 
     $errors = array();
+    $validation_exception = null;
 
     $v_login = $config->getShouldAllowLogin();
     $v_registration = $config->getShouldAllowRegistration();
@@ -153,12 +154,16 @@
         $editor = id(new PhabricatorAuthProviderConfigEditor())
           ->setActor($viewer)
           ->setContentSourceFromRequest($request)
-          ->setContinueOnNoEffect(true)
-          ->applyTransactions($config, $xactions);
+          ->setContinueOnNoEffect(true);
 
-        $next_uri = $config->getURI();
+        try {
+          $editor->applyTransactions($config, $xactions);
+          $next_uri = $config->getURI();
 
-        return id(new AphrontRedirectResponse())->setURI($next_uri);
+          return id(new AphrontRedirectResponse())->setURI($next_uri);
+        } catch (Exception $ex) {
+          $validation_exception = $ex;
+        }
       }
     } else {
       $properties = $provider->readFormValuesFromProvider();
@@ -325,12 +330,35 @@
 
     $provider->extendEditForm($request, $form, $properties, $issues);
 
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+
+    $locked_warning = null;
+    if ($is_locked && !$validation_exception) {
+      $message = pht(
+        'Authentication provider configuration is locked, and can not be '.
+        'changed without being unlocked. See the configuration setting %s '.
+        'for details.',
+        phutil_tag(
+          'a',
+          array(
+            'href' => '/config/edit/'.$locked_config_key,
+          ),
+          $locked_config_key));
+      $locked_warning = id(new PHUIInfoView())
+        ->setViewer($viewer)
+        ->setSeverity(PHUIInfoView::SEVERITY_WARNING)
+        ->setErrors(array($message));
+    }
+
     $form
       ->appendChild(
         id(new AphrontFormSubmitControl())
           ->addCancelButton($cancel_uri)
+          ->setDisabled($is_locked)
           ->setValue($button));
 
+
     $help = $provider->getConfigurationHelp();
     if ($help) {
       $form->appendChild(id(new PHUIFormDividerControl()));
@@ -346,12 +374,16 @@
     $form_box = id(new PHUIObjectBoxView())
       ->setHeaderText(pht('Provider'))
       ->setFormErrors($errors)
+      ->setValidationException($validation_exception)
       ->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)
       ->setForm($form);
 
+
+
     $view = id(new PHUITwoColumnView())
       ->setHeader($header)
       ->setFooter(array(
+        $locked_warning,
         $form_box,
         $footer,
       ));
diff --git a/src/applications/auth/controller/config/PhabricatorAuthListController.php b/src/applications/auth/controller/config/PhabricatorAuthListController.php
--- a/src/applications/auth/controller/config/PhabricatorAuthListController.php
+++ b/src/applications/auth/controller/config/PhabricatorAuthListController.php
@@ -78,12 +78,14 @@
       ->setGuidanceContext($guidance_context)
       ->newInfoView();
 
+    $is_disabled = (!$can_manage || $is_locked);
     $button = id(new PHUIButtonView())
       ->setTag('a')
       ->setButtonType(PHUIButtonView::BUTTONTYPE_SIMPLE)
-      ->setHref($this->getApplicationURI('config/new/'))
       ->setIcon('fa-plus')
-      ->setDisabled(!$can_manage || $is_locked)
+      ->setDisabled($is_disabled)
+      ->setWorkflow($is_disabled)
+      ->setHref($this->getApplicationURI('config/new/'))
       ->setText(pht('Add Provider'));
 
     $list->setFlush(true);
diff --git a/src/applications/auth/controller/config/PhabricatorAuthNewController.php b/src/applications/auth/controller/config/PhabricatorAuthNewController.php
--- a/src/applications/auth/controller/config/PhabricatorAuthNewController.php
+++ b/src/applications/auth/controller/config/PhabricatorAuthNewController.php
@@ -9,6 +9,27 @@
 
     $viewer = $this->getViewer();
     $cancel_uri = $this->getApplicationURI();
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+
+    if ($is_locked) {
+      $message = pht(
+        'Authentication provider configuration is locked, and can not be '.
+        'changed without being unlocked. See the configuration setting %s '.
+        'for details.',
+        phutil_tag(
+          'a',
+          array(
+            'href' => '/config/edit/'.$locked_config_key,
+          ),
+          $locked_config_key));
+
+      return $this->newDialog()
+        ->setUser($viewer)
+        ->setTitle(pht('Authentication Config Locked'))
+        ->appendChild($message)
+        ->addCancelButton($cancel_uri);
+    }
 
     $providers = PhabricatorAuthProvider::getAllBaseProviders();
 
diff --git a/src/applications/auth/editor/PhabricatorAuthProviderConfigEditor.php b/src/applications/auth/editor/PhabricatorAuthProviderConfigEditor.php
--- a/src/applications/auth/editor/PhabricatorAuthProviderConfigEditor.php
+++ b/src/applications/auth/editor/PhabricatorAuthProviderConfigEditor.php
@@ -125,4 +125,25 @@
     return parent::mergeTransactions($u, $v);
   }
 
+  protected function validateAllTransactions(
+    PhabricatorLiskDAO $object,
+    array $xactions) {
+
+    $errors = parent::validateAllTransactions($object, $xactions);
+
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+
+    if ($is_locked) {
+      $errors[] = new PhabricatorApplicationTransactionValidationError(
+        null,
+        pht('Config Locked'),
+        pht('Authentication provider configuration is locked, and can not be '.
+            'changed without being unlocked.'),
+        null);
+    }
+
+    return $errors;
+  }
+
 }