Skip to content
/

Using the people picker over a one-way trust

When you have a SharePoint farm and you want to use accounts from another domain you need a partial (one-way) or a full (two-way) trust between those domains.
A full trust is not always desirable and there your problem begins. After setting up the one-way trust you can authenticate with an account from the trusted domain, but the SharePoint People Picker won’t show any accounts from this domain.

It has been documented by others before, but as I ran into this recently I’ll give my summary how I fixed this.
This solution is the same for WSS 3.0/SharePoint 2007 as SharePoint 2010.

The problem

When using a one-way trust you don’t see any accounts from the other domain in the people picker.

SharePoint People Picker not showing any accounts.
People picker not showing accounts from the other domain.

The reason

This is an example of how you could use a partial trust.

Architecture with a company and a development domain setup with a partial trust.
Example of a one-way trust architecture.

You want to allow employees to authenticate in a development farm, but you don’t want to allow any test or service account from the development domain to authenticate in the company domain.

As the application pool account is based in the development domain it doesn’t have the right to query the company domain.

The solution

Using STSADM we can configure which forests and domains are searched for accounts by setting the peoplepicker-searchadforests property. The best part is that we can supply a username and password for a trusted domain.

SharePoint doesn’t allow you to store this username and password in plain text on the server. So you will have to configure a secure store. If you skip this step, configuring the search account for trusted domains will always fail with the following message.
Cannot retrieve the information for application credential key.
To create a credential key you will have to use the following command.

stsadm -o setapppassword -password <password>

This command has to be executed on every server in the farm.

Now you can configure the forests and domains you want to search using the following command.

stsadm -o setproperty -url <web application url> -pn peoplepicker-searchadforests
-pv forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>

You can combine any number of forests and domains, but you need to specify at least one.
You also need to include all forests and domains in one statement because every time you execute this command it will reset the current settings.

Also note this setting is per web application, and even per zone.

SharePoint People Picker showing an account from the one-way trusted domain.
People picker showing accounts from the other domain.

11 Comments

  1. /

    Great timing on this article! Just needed this! Thanks!

  2. /

    Hi! Nice post!
    Have a question: Configuring the AD trust + people picker will be enough to allow users from domain A to authenticate on the SharePoint (that is located on Domain B)?

    Tks!
    Alex

  3. /

    Authentication itself will work when a trust is in place indeed.
    The configuration of the people picker is additional with a partial trust and will allow to choose accounts from (both) domains.

  4. /

    My SP server is on domain A,(which is a.b.com) I setup domain B (c.com) for external users. I configured forwards in each DNS and setup a trust (domain B trusts domain a) I created the credential key and ran stsadm -0 setproperty -url http://sqldevserver -pn peoplepicker-searchadforests -pw forest:xx:domain:b.comusername,password

    every 60 seconds my front-end server registers event 6482 in the application log. Reason: The trust relationship between the primary domain and the trusted domain failed.

    Any suggestions?

  5. /

    Update, in the example above, the command is -pw forest:xx:domain:c.comusername,password.... not b.com as previously stated

    • /

      it should be like:

      -pw forest:a.b.com;domain:c.com,c.comusername,password

      watch where you use : ; en ,

  6. /

    People import successfully for the other domain user (OWFT), When the user try to create mysite getting SPEXCEPTION :USER NOT FOUND but the user profiles created successfully for the other domain users.
    please can give suggestion

  7. /

    Good post Michael. Had one query, if there are two separate AD domains, and you want to look for users in both of these domains, you need to run these powershell scripts everytime for the required domain. Is there any way or script that can query multiple domains in the same AD. Thanks a lot.

  8. /

    Good article - we had the same issue but we also had to set permissions on the Secure registry key on EVERY machine in the farm, granting the local WSS_WPG read access to :

    HKEY_Local_MachineSOFTWAREMicrosoftShared ToolsWeb Server Extensions14.0Secure

    For more info see http://blogs.msdn.com/b/jorman/archive/2011/02/16/people-picker-why-don-t-you-trust-me.aspx

  9. /

    Gr8....
    Thank you...

Trackbacks and Pingbacks

  1. Configure people picker over a one-way trust using PowerShell | Michaël's coding thoughts

Leave a comment