people picker control cross forest

Question

i have 

domain1.forest1.com (sharepoint farm install here)

domain2.forest2.com (two way trust with domain1.forest1.com)

people picker not able to find any user in domain2.forest2.com. Since it is a two way trust, i should just work right? do i need to do additional configuration?

Note: both are in different forest.

Answer 1

Hi,

Once you have created the two way trust, create a group in domain1 AD and add the group from domain2 AD that has all the users in it. Once this is done, you should see all the users from domain2 in the people picker. Hope this helps.

---

Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

Answer 2

Is that the recommended way? I doesn't seem to be. 

Answer 3

Hy VietP,

you have to set your site collection people pickers to resolve users from both forests.

To do that check this link:  Link

The key for your problem is this:  peoplepicker-searchadforest  (property from site collection peoplepickers)

Hope it helps.

Best regards.

Answer 4

Cristian,

I thought that only require for one way trust. I have two way trust. Anyway, I try that command also ,but still didn't work. Not sure how to troubleshoot. 

stsadm.exe -o setproperty -pn Peoplepicker-searchadforest -pv "domain: domain1.com, domain:domain2.com" url http://mywebapplicationUrl

Answer 5

Yes, that is only required in a one-way trust (and certain scenarios in a two-way).

Couple of questions:

Does the domain2.forest2.com (FQDN) match the NetBIOS (e.g. is it "DOMAIN2")?

Do the SharePoint servers have port access to domain2's Domain Controllers in order to issue direct queries?

Is this a Selective trust, or a Forest Trust? Transitive or not?

I also have a utility here you can test from the SharePoint server(s) that may help you diagnose this:

https://github.com/Nauplius/PeoplePickerPortTester/releases

---

Trevor Seward

Follow or contact me at...
  

---

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 6

I still think that you need to update that property, maybe i'm wrong but... If you type domain2\anyusername  in any people picker in any sharepoint form and you save the form, check if sharepoint resolve that username in a normal user DisplayName. I mean this    domain2\username    to   User Display Name   for example.

cmd stsadm line that you have to use is like this:

stsadm -o setproperty -pn proplepicker-searchadforests -pv "domain:domain1.forest1.com,domain1\username,Password;domain:domain2.forest2.com,domain2\username,Password" -url http://yourwebapp

Here you have another link with more info about it: 

http://seanshares.com/post/67988186845/setup-sharepoint-people-picker-cross-forest-active

Best regards.

Answer 7

Again, that property is not required for two-way forest trusts, except under specific scenarios (e.g. NetBIOS name and FQDN do not match, but even that isn't handled through that particular property).

---

Trevor Seward

Follow or contact me at...
  

---

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 8

Answer 9

Trevor,

correction on my fqdn.

I have 2 forest

Forest1 have domain1.com (sp farm installed here so : sharepointserver.domain1.com) is fqdn

forest2 have domain2.com

Does the domain2.forest2.com (FQDN) match the NetBIOS (e.g. is it "DOMAIN2")?

I believe it is. Is the way to check is in Domain name (pre-windows 200): and it say domain2

Do the SharePoint servers have port access to domain2's Domain Controllers in order to issue direct queries?

what port is require? i run people picker port tester and most TCP port connect except for 137,138 failed

[Opt]TCP/749 - Failed

[Opt]TCP/750 - Failed

All UDP failed except for port 53 connect

Is this a Selective trust, or a Forest Trust? Transitive or not?

Trust Type: External (incoming and out going)

Transitive: No

Authentication: Domain-wide

Answer 10

Okay, so the External trust is what you're probably up against.

Use this PowerShell:

$key = ConvertTo-SecureString "Password1" -AsPlainText -Force
[Microsoft.SharePoint.SPSecurity]::SetApplicationCredentialKey($key)

$wa = Get-SPWebApplication http://webAppUrl
$adsearchobj = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
$userpassword = ConvertTo-SecureString "UserPassword1" -AsPlainText -Force #Password for the user account CONTOSO\s-useraccount
$adsearchobj.DomainName = "domain2.forest2.com"
$adsearchobj.ShortDomainName = "DOMAIN2" #Optional
$adsearchobj.IsForest = $false #$true for Forest, $false for Domain
$adsearchobj.LoginName = "s-useraccount"
$adsearchobj.SetPassword($userpassword)

$wa.PeoplePickerSettings.SearchActiveDirectoryDomains.Add($adsearchobj)
$wa.Update()

http://thesharepointfarm.com/2014/01/powershell-for-people-picker-properties/

---

Trevor Seward

Follow or contact me at...
  

---

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 11

Trevor,

We recently setup 2-way trust between my company domain and 5 other domains. These domains are in separate forests. Other than what I mentioned in my first comment, I did not do anything. Domain and NETBIOS names are all different in different domains and they match each other (DOMAIN: ABC.net; NETBIOS: ABC)

Quote: "Once you have created the two way trust, create a group in domain1 AD and add the group from domain2 AD that has all the users in it. Once this is done, you should see all the users from domain2 in the people picker. Hope this helps."

My people picker is able to resolve all users from different domains. We have also setup the profile synchronizations with different domains for My Sites. Works perfectly. I do not see in which scenario should we use the script you have provided. Your input is valuable. Thanks.

---

Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

Answer 12

What you quoted will not work. SharePoint cannot consume Foreign Security Principals (which is what you're doing by adding users from DOMAIN2 to a group in DOMAIN1, then adding the group from DOMAIN1 to SharePoint), it must have a reference to where the User object exists.

Normally, in two-way trusts, no you do not have to do any configuration for the People Picker. There are exceptions to that rule, and it looks like the original poster likely encountered one of them.

UPA is also not a factor in resolving users within Site Collections, so we can ignore that.

---

Trevor Seward

Follow or contact me at...
  

---

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 13

What you quoted will not work. SharePoint cannot consume Foreign Security Principals (which is what you're doing by adding users from DOMAIN2 to a group in DOMAIN1, then adding the group from DOMAIN1 to SharePoint), it must have a reference to where the User object exists.

Hi Trevor,

I did not add the group from Domain1 to Sharepoint. After configuring like I mentioned in AD, I was able to resolve the group from Domain2 in Sharepoint. I have not run into any issues yet. Ideally I might have to look more into FSP. I understand and agree that UPA is separate from resolving users.

---

Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

Answer 14

Okay, I see. Although FSP aren't resolvable by SharePoint. Simply having the two-way trust is enough... again, edge cases aside.

---

Trevor Seward

Follow or contact me at...
  

---

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 15

What i found out in my case is that the people picker will not show up the name ,but if it type in domain2\user and click share. it will resolve the name correctly. What am i missing?

Answer 16

I'm out of ideas but have a look at this link and see if it's your situation:

http://thesharepointfarm.com/2013/03/selective-authentication-can-kill-the-people-picker-in-a-two-way-trust/

Best regards.