Solved

SharePoint People Picker over External Two Way Trust

Posted on 2012-03-29
7
1,891 Views
Last Modified: 2012-06-27
Experts:

Here is the situation: I have Domain A and Domain B.  The two have a two way, domain wide trust relationship.  I have a SharePoint server in each domain, we'll call them SP Server A in Domain A and SP Server B in Domain B.

SP Server A is running SP 2010 on Win 2K8 R2 in a Win 2K8 R2 AD environment (Domain A).

SP Server B us running SP 2007 on Win 2K3 in a Win2K3 AD environment (Domain B).

I can add users from Domain A or B to SP Server A with no issues.  I can add users from Domain A or B to *files and folders* on SP Server B with no issues.  But, I *cannot* add users from Domain A to any of the SharePoint permissions groups on any web applications on SP Server B.

The Server B people picker simply doesn't see anyone from Domain A.  I have tried multiple times to run:

stsadm.exe -o setproperty -url http://domain1.example.com:80 -pn “peoplepicker-searchadforests” -pv “domain:domain1.example.com,domain1\LoginName, P@ssword; domain:domain2.example.com,domain2\LoginName, P@ssword; domain:domain3.example.com,domain3\LoginName, P@ssword“

And it always reports back succesful, but no matter what I put in those fields, it has no effect on what the names that the people picker pulls (it always only sees people from Domain B).

I have been able to add users from Domain A to a security group in Domain B, then add that security group to SP Server B.  It takes the group, but am I still unable to access any sites on SP Server B using credentials from users in Domain A.

What am I doing wrong?  It seems like every little thing is in its place and yet my older SP web application won't recognize that the other domain exists, even though the server itself (that is, Windows) sees it just fine.

Thanks,
Matt
0
Comment
Question by:mhentrich
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785203
Since you have a two way trust, you shouldn't have to set the AppPassword.  So my advice would be to go ahead and specify the Forest names as well.  Also, you don't need to specify a user/password for the local forest and domain names.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv forest:remoteforest.int,remote\user,password;forest:localforest.int;domain:remotedomain.int,remote\user,password;domain:localdomain.int -url http://sharepointurl
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785209
i'm curious.....when you deployed SharePoint server B....did you run that stsadm command right away?  Or did you try to add people before running it?  SharePoint should be able to see all two way trusts by default.  Wondering if running the command threw it off.
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 37785218
The more I think about this.....even my script isn't right.  You shouldn't have to designate user/passwords for the remote domain since there is a two way trust.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:mhentrich
ID: 37785368
Achilles,

Thanks, I agree that I shouldn't have to.  It's odd, I can put username/passwords in or leave them out, the command still completes succesfully, but has no impact on the people picker.

I ran the getproperty command against SP Server A (the one that sees both domains) and it returns "Property Exist=No".  So, I didn't even have to run this command or set any such properties on that server and it works fine.  Server B, however, doesn't work no matter what I do.  Any ideas?

Matt
0
 

Author Comment

by:mhentrich
ID: 37785389
Quick note though: the first time I ran this command on Server B, it DID make me set an app password.  I have no idea why, because the trust it two-way and each SP server is standalone (i.e. not part of a larger farm).
0
 

Accepted Solution

by:
mhentrich earned 0 total points
ID: 37789893
Folks,

Since I got no solid answers here, I resorted to calling MS themselves.  A gentleman there instructed me to set up a Forest Trust instead of an External Trust.  That did not solve the People Picker issue but it did allow me to add users from the one domain to the other.

Thanks anyways,
Matt
0
 

Author Closing Comment

by:mhentrich
ID: 37805224
Nobody else answered it.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question