Using the people picker over a one-way trust
When you have a SharePoint farm and you want to use accounts from another domain you need a partial (one-way) or a full (two-way) trust between those domain.
A full trust is not always desirable and there your problem begins. After setting up the one-way trust you can authenticate with an account from the trusted domain, but the SharePoint People Picker doesn’t show any accounts from this domain.
It has been documented by others before, but as I ran into this recently I’ll give my summary how I fixed this.
This solution is the same for WSS 3.0/SharePoint 2007 as SharePoint 2010.
The problem
When using a one-way trust you don’t see any accounts from the other domain in the people picker.
People picker not showing accounts from the other domain.
The reason
This is an example of how you could use a partial trust.
Example of a one-way trust architecture.
You want to allow employees to authenticate in a development farm, but you don’t want to allow any test or service account from the development domain to authenticate in the company domain.
As the application pool account is based in the development domain it doesn’t have the right to query the company domain.
The solution
Using STSADM we can configure which forests and domains are searched for accounts by setting the peoplepicker-searchadforests property. The best part is that we can supply a username and password for a trusted domain.
SharePoint doesn’t allow you to store this username and password in plain text on the server. So you will have to configure a secure store. If you skip this step, configuring the search account for trusted domains will always fail with the following message.
Cannot retrieve the information for application credential key.
To create a credential key you will have to use the following command.
stsadm -o setapppassword -password <password>
This command has to be executed on every server in the farm.
Now you can configure the forests and domains you want to search using the following command.
stsadm -o setproperty -url <web application url> -pn peoplepicker-searchadforests -pv forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>
You can combine any number of forests and domains, but you need to specify at least one. You also need to include all forests and domains in one statement because every time you execute this command it will reset the current settings.
Also note this setting is per web application, and even per zone.
People picker showing accounts from the other domain.
Great timing on this article! Just needed this! Thanks!
Hi! Nice post!
Have a question: Configuring the AD trust + people picker will be enough to allow users from domain A to authenticate on the SharePoint (that is located on Domain B)?
Tks!
Alex
Authentication itself will work when a trust is in place indeed.
The configuration of the people picker is additional with a partial trust and will allow to choose accounts from (both) domains.
My SP server is on domain A,(which is a.b.com) I setup domain B (c.com) for external users. I configured forwards in each DNS and setup a trust (domain B trusts domain a) I created the credential key and ran stsadm -0 setproperty -url http://sqldevserver -pn peoplepicker-searchadforests -pw forest:xx:domain:b.com\username,password
every 60 seconds my front-end server registers event 6482 in the application log. Reason: The trust relationship between the primary domain and the trusted domain failed.
Any suggestions?
Update, in the example above, the command is -pw forest:xx:domain:c.com\username,password…. not b.com as previously stated
it should be like:
watch where you use : ; en ,
People import successfully for the other domain user (OWFT), When the user try to create mysite getting SPEXCEPTION :USER NOT FOUND but the user profiles created successfully for the other domain users.
please can give suggestion