Friday, April 13, 2012 1:53 PM
I'm working with a Farm where the SharePoint Server was moved to a domain (from domainA to domainB). After the move users are not able to authenticate to the site from either domain. The issue did not occur immediately after the server was moved which I find noteworthy. I've verified that the domainB users have been granted rights.
Central Administration still works. The portal that is nor working is a claims based authentic web application.
The one exception is that the account being used as the identity of the web application(domainB\spAdmin) is able to log in. Interesting enough, when that account clicks the SignIn as different user button, an error message shows. Tracking down the log entry, it's an access denied exception on the AccessDenied page. (So they're being denied access to login as a different user, which forwards them to the AccessDenied page, where they're denied access).
Things I've tried:
- Creating a fresh blank web application allows authentication without issues.
- Making a domainB\user account a site collection administrator
- Creating a security policy on the web app granting domainB\user full control on the web application
- There was a 2nd portal using claims-based authentication where the same problem was occurring and I was able to create a new web application and attach the content database, allowing authentication. But it didn't work for the main portal. In my mind this rules out issues with the Claims to Windows token service.
- I've checked into files used for branding to ensure users have access to these.
Thank you for any thoughts you have.
Sunday, April 15, 2012 11:59 PM
I am unsure what type of setup you had on domainB but you might want to look at one of the below articles:
[SP2007/SP2010] Migrate SharePoint across domains:http://share-point.blogspot.com.au/2011/06/sp2007sp2010-migrate-sharepoint-across.html
Migrating SharePoint users across domains:http://blogs.msdn.com/b/alexander_windel/archive/2006/03/23/559317.aspx
Kind Regards, Justin Nash
Monday, April 16, 2012 7:26 AM
You may need to register the domains to be used for your environment. So you can use below mentioned commands to resolve/ make your domain users authenticated.
stsadm -o setapppassword -password <password>
Once completed then run
stsadm -o setproperty -pn peoplepicker-searchadforests -url http://webapplicationurl -pv "forest:domain1.com,domain1\serviceaccount,<serviceaccountpassword>,domain:domain1.com,domain1\serviceaccount,<serviceaccountpassword>; forest:domain2.com,domain2\serviceaccount,<serviceaccountpassword>,domain:domain2\serviceaccount,<serviceaccountpassword>;"
So here the "serviceaccount" refers to an account in AD which has 'crawling permissions'. once this is done, it will resolve your issue.
Hope this helps.
Thanks, Sumit Gupta SharePoint Consultant MCP, MCTS, CCNA
- Marked As Answer by Rock Wang– MSFT Friday, April 20, 2012 7:26 AM