Solved

SharePoint People Picker over External Two Way Trust

Posted on 2012-03-29
7
1,862 Views
Last Modified: 2012-06-27
Experts:

Here is the situation: I have Domain A and Domain B.  The two have a two way, domain wide trust relationship.  I have a SharePoint server in each domain, we'll call them SP Server A in Domain A and SP Server B in Domain B.

SP Server A is running SP 2010 on Win 2K8 R2 in a Win 2K8 R2 AD environment (Domain A).

SP Server B us running SP 2007 on Win 2K3 in a Win2K3 AD environment (Domain B).

I can add users from Domain A or B to SP Server A with no issues.  I can add users from Domain A or B to *files and folders* on SP Server B with no issues.  But, I *cannot* add users from Domain A to any of the SharePoint permissions groups on any web applications on SP Server B.

The Server B people picker simply doesn't see anyone from Domain A.  I have tried multiple times to run:

stsadm.exe -o setproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests” -pv “domain:domain1.example.com,domain1\LoginName, P@ssword; domain:domain2.example.com,domain2\LoginName, P@ssword; domain:domain3.example.com,domain3\LoginName, P@ssword“

And it always reports back succesful, but no matter what I put in those fields, it has no effect on what the names that the people picker pulls (it always only sees people from Domain B).

I have been able to add users from Domain A to a security group in Domain B, then add that security group to SP Server B.  It takes the group, but am I still unable to access any sites on SP Server B using credentials from users in Domain A.

What am I doing wrong?  It seems like every little thing is in its place and yet my older SP web application won't recognize that the other domain exists, even though the server itself (that is, Windows) sees it just fine.

Thanks,
Matt
0
Comment
Question by:mhentrich
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785203
Since you have a two way trust, you shouldn't have to set the AppPassword.  So my advice would be to go ahead and specify the Forest names as well.  Also, you don't need to specify a user/password for the local forest and domain names.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv forest:remoteforest.int,remote\user,password;forest:localforest.int;domain:remotedomain.int,remote\user,password;domain:localdomain.int -url http://sharepointurl
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785209
i'm curious.....when you deployed SharePoint server B....did you run that stsadm command right away?  Or did you try to add people before running it?  SharePoint should be able to see all two way trusts by default.  Wondering if running the command threw it off.
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785218
The more I think about this.....even my script isn't right.  You shouldn't have to designate user/passwords for the remote domain since there is a two way trust.
0
 

Author Comment

by:mhentrich
ID: 37785368
Achilles,

Thanks, I agree that I shouldn't have to.  It's odd, I can put username/passwords in or leave them out, the command still completes succesfully, but has no impact on the people picker.

I ran the getproperty command against SP Server A (the one that sees both domains) and it returns "Property Exist=No".  So, I didn't even have to run this command or set any such properties on that server and it works fine.  Server B, however, doesn't work no matter what I do.  Any ideas?

Matt
0
 

Author Comment

by:mhentrich
ID: 37785389
Quick note though: the first time I ran this command on Server B, it DID make me set an app password.  I have no idea why, because the trust it two-way and each SP server is standalone (i.e. not part of a larger farm).
0
 

Accepted Solution

by:
mhentrich earned 0 total points
ID: 37789893
Folks,

Since I got no solid answers here, I resorted to calling MS themselves.  A gentleman there instructed me to set up a Forest Trust instead of an External Trust.  That did not solve the People Picker issue but it did allow me to add users from the one domain to the other.

Thanks anyways,
Matt
0
 

Author Closing Comment

by:mhentrich
ID: 37805224
Nobody else answered it.
0

Join & Write a Comment

We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now