SharePoint in trusted domains

Recently, a client called me saying that they just added one domain by a Trust Relation, therefore, they wanted to use the users from the trusted domain in SharePoint.

My first reaction was Ok no problem, but first I needed some parameters like:

  • Trust relation type, direction and know if it was external or forest: Two ways and external
  • Name of the forest
  • Name of the domain
  • One DC name
  • Account on the trusted domain with permission to authenticate

Once I had all this information, I started to prepare the commands for the test environment.

So, let’s start:

First it is necessary to set a password to encrypt all the traffic:

STSADM.exe -o setapppassword -password “encrypt”

The following command allows to search users in both domains:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv “forest:maindomain.com;trusteddomain,trusteddomainusrauthenticate,Password” -url http://webapp

Once it was done, it was possible to pick users from the trusted domain, but next it is necessary to configure the search to allow users from the trusted domain the execute search, this can be done with the following command:

$searchapp = Get-SPEnterpriseSearchServiceApplication
$searchapp.SetProperty(“ForceClaimACLs”,1)

Ok, fair enough, but once I tested this I tried to do the same in Production, and it was when the problems began…

First I reproduced all the steps aforementioned, but when I tried to use the People Picker, I received the following error:

“There was an error during the callback”

In order to fix this error I had to update the permissions on the registry key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsWeb Server Extensions14.0Secure” on each Web Front End server. The local groups need the following permssions:

WSS_WPG – Read

WSS_ADMIN_WPF – Full

WSS_RESTRICTED_WPG_V4 – Full

I tried again, and I was stucked in the same step, same error again 😦

So I execute the following command to restore the people picker to the previous state

stsadm -o setproperty -pn peoplepicker-searchadforests -pv “” -url http://webapp

Ok, now people picker is working only for the domain where SharePoint is installed. So I digged the web to search more information and tried several times more to test what was happening.

I tried to do several IISResets with no luck, so it is not the way to solve the problem…So, my thought was to check the logs to see the problem itself and the error that it was throwing, and I saw the following:

Decryption failed with error: 0

at Microsoft.SharePoint.Administration.SPCredentialManager.DecryptWithApplicationCredentialKey(Byte[] rgbEncryptedPassphrase)

Very strange… the word “EncryptedPassphrase” was the key for all this mistery

So I tried again to execute the following:

STSADM.exe -o setapppassword -password “encrypt”

But this time I executed it in all the servers of the farm, and then another time to execute the following:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv “forest:maindomain.com;trusteddomain,trusteddomainusrauthenticate,Password” -url http://webapp

And voilá! now people picker is working for both domains, I don’t know why it was throwing the error, perhaps another day I will enter to check this matter with more time..

In case you need to want to configure the people picker with PowerShell commands I recommend you to keep an eye to the following posts:

http://blogs.technet.com/b/yashgoel-msft/archive/2012/09/26/powershell-equivalent-of-stsadm-o-setproperty-pn-peoplepicker-searchadforests.aspx
http://i1.blogs.msdn.com/b/voyage/archive/2016/03/05/restrict-people-picker-to-get-users-from-a-particular-domain.aspx
http://john314159.blogspot.com.es/2016/01/enabling-sharepoint-2013-peoplepicker.html
http://www.sharepointlovers.com/sharepoint-powershell-set-scope-of-people-picker-to-particular-domain/

Till next time folks!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s