none
SharePoint domain trusts Users domain - People Picker works sometimes.

    Question

  • We have SP installed in the DMZ in its own domain that has a one way outbound trust to our internal user domain.  I have configured Profile Import to look at the user domain and profiles are being imported without problem.  I am able to add these users to site permissions and they can they authenticate to the site and everything works well. 

    My problem is when I use people picker on the adminstrative side - I.E., trying to pick a user as the site owners.  People picker will not find users in the user domain when used this way.  Again, People Picker works fine for site permissions.  What gives?

    --Kevin
    Tuesday, July 28, 2009 11:41 AM

Answers

  • Hi kas21,

     

    The people picker works in cross domain or cross forest environment. It works in both-way trust and one-way trust environment. By default if the administrator does not do any configuration, the people picker will issue queries to all two-way trusted domains and two-way trusted forests to search people & groups.

     

    The people picker uses the application pool account to search the target domains and forests. If the application pool account does not have permission to the target domains or forests, or the administrator wants to use different account to search the target domains or forests, the administrator could use command line below to configure:

    1.         run the command below on all machines in the farm where SharePoint is installed to set a key that will be used to encrypt/decrypt the password

    stsadm.exe -o setapppassword -password <somekey>

    2.         Run on one WFE

    stsadm –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <WebApp>

    For more information about the command line, please refer to:

    http://technet.microsoft.com/en-us/library/cc263460.aspx

     

    Hope this helps.

     

    Lu Zou

     

     

    • Marked as answer by Lu Zou-MSFT Friday, August 07, 2009 6:36 AM
    Thursday, July 30, 2009 7:23 AM

All replies

  • You have to configure the people picker for each WEB app... Central Admin runs in it's own WEB App so you have to configure it as well as your production WEB App...

    Run the following for each site requiring People Picker to pull from the remote Domain (ssp.domain.com, site.domain.com, my.domain.com)

    • Proposed as answer by Jeff DeVerter Tuesday, July 28, 2009 1:39 PM
    • Unproposed as answer by Mike Walsh FIN Tuesday, July 28, 2009 6:38 PM
    Tuesday, July 28, 2009 1:38 PM
  • Jeff, could you please stop proposing every single post you make here as an answer.

    Some of them are certainly more worthy of being marked as answers than others.

    It is in any case better to wait until some one else proposes them. Then I might be tempted to convert them to Answer status which won't happen when each post from you is seemingly automatically proposed by you as an answer.


    (Moderator)
    WSS FAQ sites: http://wssv2faq.mindsharp.com and http://wssv3faq.mindsharp.com
    Total list of WSS 3.0 / MOSS 2007 Books (including foreign language) http://wssv3faq.mindsharp.com/Lists/v3%20WSS%20FAQ/V%20Books.aspx
    Tuesday, July 28, 2009 2:05 PM
  • Run the following what?  I don't see anything after that line.  Thanks!
    Wednesday, July 29, 2009 2:51 PM
  • Hi kas21,

     

    The people picker works in cross domain or cross forest environment. It works in both-way trust and one-way trust environment. By default if the administrator does not do any configuration, the people picker will issue queries to all two-way trusted domains and two-way trusted forests to search people & groups.

     

    The people picker uses the application pool account to search the target domains and forests. If the application pool account does not have permission to the target domains or forests, or the administrator wants to use different account to search the target domains or forests, the administrator could use command line below to configure:

    1.         run the command below on all machines in the farm where SharePoint is installed to set a key that will be used to encrypt/decrypt the password

    stsadm.exe -o setapppassword -password <somekey>

    2.         Run on one WFE

    stsadm –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <WebApp>

    For more information about the command line, please refer to:

    http://technet.microsoft.com/en-us/library/cc263460.aspx

     

    Hope this helps.

     

    Lu Zou

     

     

    • Marked as answer by Lu Zou-MSFT Friday, August 07, 2009 6:36 AM
    Thursday, July 30, 2009 7:23 AM