locked
Authenticate users from a trusted domain RRS feed

  • Question

  • Greetings,

    I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.

    I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.

    Domain B trusts Domain A (1 way)

    Is this possible? How?

    Thank you


    Friday, December 20, 2013 8:51 PM

Answers

  • It isn't just LDAP, you need a range of ports open, which are detailed here:

    http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx

    I also created an application to help test, which you can find here:

    https://peoplepicker.codeplex.com/


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Sunday, December 22, 2013 11:13 PM

All replies

  • Yes, all you need to do is have a trust in place. Do you have a two-way trust?

    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, December 20, 2013 9:03 PM
  • Hi Trevor,

    Yes I forgot to mention that.  Domain B trusts Domain A.  1 way trust.

    When setting up the initial web app I found that I could not add anyone from domain a to a group.  I actually could not see them.  I believe the issue is similar to this; http://social.technet.microsoft.com/Forums/sharepoint/en-US/6f59fd43-1b5e-482b-b710-ae0109831461/sharepoint-site-access-failed-to-authenticate-using-trusted-domain-credential?forum=sharepointadminprevious

    unfortuneatly I do not have access to the policy and have to wait for the domain admin to set this up via gpo

    Friday, December 20, 2013 9:15 PM
  • You need to configure SharePoint to leverage the one-way trust.

    Here's what you do:

    stsadm -o setapppassword -password "SomeValue"
    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url http://webAppUrl

    You need to get a domain user account (just a standard domain user) from Domain A in order to insert the username and password (do not format it as DomainA\Username, just Username).


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, December 20, 2013 9:18 PM
  • Hello,

    In addition, if You have firewalls, you need to have ldap port open from the SharePoint server to the domain A. The people picker Will make ldap search to the 2 domains.

    Sunday, December 22, 2013 11:11 PM
  • It isn't just LDAP, you need a range of ports open, which are detailed here:

    http://blogs.technet.com/b/wbaer/archive/2009/01/21/people-picker-port-protocol-requirements.aspx

    I also created an application to help test, which you can find here:

    https://peoplepicker.codeplex.com/


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Sunday, December 22, 2013 11:13 PM
  • Yes You're right, thanks for the precision. 
    Sunday, December 22, 2013 11:14 PM
  • Hello Trevor,

    Thank you for your help.

    I have run the People Picker Tester and found that I am able to connect to the following ports:

    CONNECTED

    tcp/389

    tcp/686

    tcp/135

    tcp/139

    tcp/3268

    tcp/445

    and FAILED to connect to

    tcp/137

    tcp/138

    tcp/3269

    tcp/53

    tcp/749

    tcp/750

    The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.

    With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?

    My next question is around the two stsadm commands.

    The first command:

    stsadm -o setapppassword -password "SomeValue"

    1) What am I actually doing here? 

    2) Where will this password be used?

    3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?

    The second command:

    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url http://webAppUrl

    1) is this command setting my default people picker domain search to Domain A accounts?

    2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?

    Thursday, December 26, 2013 5:02 PM
  • Usually don't like to type in commands unless I know exactly what the outcome will be, but it is a dev environment.  I typed in the first stsadm command and tested.  Nothing.  I then typed in the second stsadm command and wa-la!  Working.  Thanks for you help.

    Thursday, December 26, 2013 9:27 PM