Solved

SharePoint People Picker over External Two Way Trust

Posted on 2012-03-29
7
1,990 Views
Last Modified: 2012-06-27
Experts:

Here is the situation: I have Domain A and Domain B.  The two have a two way, domain wide trust relationship.  I have a SharePoint server in each domain, we'll call them SP Server A in Domain A and SP Server B in Domain B.

SP Server A is running SP 2010 on Win 2K8 R2 in a Win 2K8 R2 AD environment (Domain A).

SP Server B us running SP 2007 on Win 2K3 in a Win2K3 AD environment (Domain B).

I can add users from Domain A or B to SP Server A with no issues.  I can add users from Domain A or B to *files and folders* on SP Server B with no issues.  But, I *cannot* add users from Domain A to any of the SharePoint permissions groups on any web applications on SP Server B.

The Server B people picker simply doesn't see anyone from Domain A.  I have tried multiple times to run:

stsadm.exe -o setproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests” -pv “domain:domain1.example.com,domain1\LoginName, P@ssword; domain:domain2.example.com,domain2\LoginName, P@ssword; domain:domain3.example.com,domain3\LoginName, P@ssword“

And it always reports back succesful, but no matter what I put in those fields, it has no effect on what the names that the people picker pulls (it always only sees people from Domain B).

I have been able to add users from Domain A to a security group in Domain B, then add that security group to SP Server B.  It takes the group, but am I still unable to access any sites on SP Server B using credentials from users in Domain A.

What am I doing wrong?  It seems like every little thing is in its place and yet my older SP web application won't recognize that the other domain exists, even though the server itself (that is, Windows) sees it just fine.

Thanks,
Matt
0
Comment
Question by:mhentrich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785203
Since you have a two way trust, you shouldn't have to set the AppPassword.  So my advice would be to go ahead and specify the Forest names as well.  Also, you don't need to specify a user/password for the local forest and domain names.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv forest:remoteforest.int,remote\user,password;forest:localforest.int;domain:remotedomain.int,remote\user,password;domain:localdomain.int -url http://sharepointurl
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785209
i'm curious.....when you deployed SharePoint server B....did you run that stsadm command right away?  Or did you try to add people before running it?  SharePoint should be able to see all two way trusts by default.  Wondering if running the command threw it off.
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785218
The more I think about this.....even my script isn't right.  You shouldn't have to designate user/passwords for the remote domain since there is a two way trust.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:mhentrich
ID: 37785368
Achilles,

Thanks, I agree that I shouldn't have to.  It's odd, I can put username/passwords in or leave them out, the command still completes succesfully, but has no impact on the people picker.

I ran the getproperty command against SP Server A (the one that sees both domains) and it returns "Property Exist=No".  So, I didn't even have to run this command or set any such properties on that server and it works fine.  Server B, however, doesn't work no matter what I do.  Any ideas?

Matt
0
 

Author Comment

by:mhentrich
ID: 37785389
Quick note though: the first time I ran this command on Server B, it DID make me set an app password.  I have no idea why, because the trust it two-way and each SP server is standalone (i.e. not part of a larger farm).
0
 

Accepted Solution

by:
mhentrich earned 0 total points
ID: 37789893
Folks,

Since I got no solid answers here, I resorted to calling MS themselves.  A gentleman there instructed me to set up a Forest Trust instead of an External Trust.  That did not solve the People Picker issue but it did allow me to add users from the one domain to the other.

Thanks anyways,
Matt
0
 

Author Closing Comment

by:mhentrich
ID: 37805224
Nobody else answered it.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question