none
SharePoint 2010 - Multi-Forest - Search RRS feed

  • Question

  • In the process of upgrading a client to 2010.  They have your standard multi-forest environment.  SharePoint is deployed in the RESOURCE forest, which has a one way outgoing trust to the USER forest.  We've had some problems with users from the USER not returning search results, but users in the RESOURCE forest can return results. 

    We've finally gotten this worked out but it was by trial and error.  What is Microsoft's recommended solution for this type of set up?  Do all the service accounts for SharePoint Search (admin, query, and service) need to be from the USER forest?  Or does only one?  Is there any way to use all RESOURCE accounts for this (what we would prefer).  Thanks!

    Saturday, July 10, 2010 1:35 AM

Answers

  • In a one way trust, you'll need to set your Search Service Application (SSA) to store ACLs (used for security trimming) to be stored in Claims format, so that no communication with the domain controller is needed during security trimming. To do this, use the Windows Powershell.

     

    First, get an object to represent your SSA:

    $ssa = Get-SPEnterpriseSearchServiceApplication "Search App Name"

     

    then set the property

    $SSA.SetProperty("ForceClaimACLs",1)

     

    Now, run a FULL crawl of ALL content to retrieve and store the ACLs in Claims format.

    Search results should work now in the one-way trust environment.

     


    Regards, Savoeurn Va Microsoft Online Community Support
    • Marked as answer by GuYuming Friday, July 16, 2010 1:18 AM
    Tuesday, July 13, 2010 7:02 PM

All replies

  • This is the only general guideline I found: http://technet.microsoft.com/en-us/library/dd279546.aspx .

     

    Could you please share your detailed trial and error experience?Thanks!

    Tuesday, July 13, 2010 8:08 AM
  • This actually isn't working, I opened another thread in the same forum.  Well, it's halfway working.  We started one by one changing search related service accounts to accounts in the USER forest.  Once we changed the Query svc account, results started displaying to our USER forest accounts.  However, this was only true if the USER forest accounts were directly added to SharePoint groups on the site.  If the USER forest accoutns were added to RESOURCE forest AD groups, then those RESOURCE groups were added to SharePoint groups, it didn't work.

    That was the security model we used for their MOSS 2007 environment (USER accounts in RESOURCE groups in SharePoint groups), and it worked fine.  This model works fine in 2010 when it comes to security, but search results aren't being displayed.

    Tuesday, July 13, 2010 12:40 PM
  • In a one way trust, you'll need to set your Search Service Application (SSA) to store ACLs (used for security trimming) to be stored in Claims format, so that no communication with the domain controller is needed during security trimming. To do this, use the Windows Powershell.

     

    First, get an object to represent your SSA:

    $ssa = Get-SPEnterpriseSearchServiceApplication "Search App Name"

     

    then set the property

    $SSA.SetProperty("ForceClaimACLs",1)

     

    Now, run a FULL crawl of ALL content to retrieve and store the ACLs in Claims format.

    Search results should work now in the one-way trust environment.

     


    Regards, Savoeurn Va Microsoft Online Community Support
    • Marked as answer by GuYuming Friday, July 16, 2010 1:18 AM
    Tuesday, July 13, 2010 7:02 PM
  • I just found that I happened to experience the similar problem:

     

    My laptop have Windows Server 2008 R2 and join the corporate domain as a member server. I installed SharePoint 2010 on it with my domain account as the farm account. And I use local administrator account as the Search Service account. My search for any keyword returns no results. In ULS Viewer, I found the following error message:

     

    AuthzInitializeContextFromSid failed with 1355. The querying user's Active Directory object may be corrupted, invalid or inaccessible. Query results which require non-Claims Windows authorization will not be returned to this querying user.

     

    After run the commands Savoeurn provided, the search works now. Thanks Savoeurn!

    Friday, July 16, 2010 1:44 AM
  • will this work even though we aren't using claims for authentication?
    Wednesday, July 21, 2010 5:18 PM
  • Yes, you don't have to use claim based authentication for your web application. I use classic windows based on my laptop. Internally, service applications use claim. Please see what follows from http://blogs.msdn.com/b/russmax/archive/2010/05/27/understanding-sharepoint-2010-claims-authentication.aspx :

    How Claims works with Services

    Accessing Internal Services

    Within a Single Farm:

    The classic example is a user performing a search. The WFE's (Server1) search web part talks to service application proxy. The associated search service application proxy calls the local STS to get a SAML token for the user. Once SAML token is collected, the search service application proxy then calls a server running the Query Processor via WCF call. I'll call this server, "Server 2". Server 2 receives the incoming request and validates the SAML token against its local STS. Once validated, Server 2 connects to various components to gather, merge, and security trims search results. Server 2 sends the trimmed search results back to Server 1 which are then presented to the user.

    Wednesday, July 21, 2010 11:16 PM
  • Yes, it will work regardless of your authentication type.

    Reagrds,

    Hiran
    Microsoft Online Community Support
    Thursday, July 22, 2010 2:43 AM
  • Thanks boss, worked like a champ.
    Thursday, July 22, 2010 4:48 PM
  • Hi Hiran,
              I'm planning to set up a SharePoint Foundation 2010 farm to use 2 active directory domains.
    DOMAIN A - the main AD
    DOMAIN B - the second AD

    It would be a one way trust so DOMAIN A will trust B as domain B is just going to be used for storing  some external users and security groups
    I would like to know how to go about this and what are the implications? The farm would be have a SEARCH EXPRESS 2010 installed and will be used in a site collections.

    Regarding user and groups will it populate users from both ADs?
    Will i be able to select users from both ADs for permission purposes?

    Are there any disadvanatages compared to using one domain?

    Thanks in Advance

     

    Thursday, August 5, 2010 8:52 PM
  • You save me,

    after 1 week I found your post and resolve the problem

    Wednesday, June 29, 2011 4:24 PM
  • This looks like it would solve my problem, except that I am running SharePoint 2010 Foundation, which does not have the Get-SPEnterpriseSearchServiceApplication or the property SetProperty.

     

    Is there any way that I could achieve the same result on Foundation running on a domain joined Windows 7 Enterprise machine?

     

    Many thanks for any help
    Wednesday, July 20, 2011 5:40 PM
  • If you are using SharePoint 2010 foundation, i would recommend you to install search server express 2010: http://technet.microsoft.com/en-us/enterprisesearch/ee263912
    Thursday, July 21, 2011 1:39 AM
  • Many thanks for your response.

     

    Given that I have a standalone installation used for local information, I am concerned that it would consume more resources than the foundation search.  Although it provides additional capabilities, I probably don’t need these given my local SharePoint usage.

     

    Is this the only way that I would be able to resolve domain issue or are there other potential remedies I could try?
    Thursday, July 21, 2011 6:56 AM