Comments on: The SharePoint PeoplePicker isn’t showing users from a trusted domain http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/?utm_source=rss&utm_medium=rss&utm_campaign=the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain Technical notes for tricky situations Mon, 25 Jul 2011 04:29:00 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Rob http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-327 Rob Thu, 11 Nov 2010 16:16:57 +0000 http://kipper.org.uk/?p=55#comment-327 Did recreating the site collection work, Gavin? Glad I was of some help :) Did recreating the site collection work, Gavin? Glad I was of some help :)

]]> By: Gavin Pollock http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-324 Gavin Pollock Thu, 21 Oct 2010 11:17:41 +0000 http://kipper.org.uk/?p=55#comment-324 Rob, thanks so much for all that info. It really helped me clarify my thoughts. I had done the apppassword and all the rest pretty much. Checked the DNS settings and all, but at the same time the User Profile Sync Connection to the same domain was working with that account and returning user accounts. Eventually, though I would create a standard web application on another port to see if I still had issues. Went as Farm Admin to the web applications, and the 'New' was greyed out. Strange... Logged in as Domain Admin and had the permissions to create the Web App. So then tried to run the script as Domain Admin rather than Farm Admin, and hey presto the property got created (validated with Get-Property), on both the new web app, and the existing one. Now the new web app is correctly searching the User Domain, as is the root site collection of the existing web app. However the tenant site collection created under that is giving another error now: Claims Search call failed. Error Message: Object reference not set to an instance of an object. Callstack: at Microsoft.SharePoint.WebControls.PeopleQueryControl.IssueClaimsQuery(String searchPattern, String providerID, String hierarchyNodeID, Int32 pageSize, SPProviderHierarchyTree spgroupTree). I'm going to try delete the site collection for the tenant and recreate it all as Domain Admin and see if it works then! Cheers Gavin Rob, thanks so much for all that info. It really helped me clarify my thoughts. I had done the apppassword and all the rest pretty much.

Checked the DNS settings and all, but at the same time the User Profile Sync Connection to the same domain was working with that account and returning user accounts.

Eventually, though I would create a standard web application on another port to see if I still had issues. Went as Farm Admin to the web applications, and the ‘New’ was greyed out. Strange… Logged in as Domain Admin and had the permissions to create the Web App.

So then tried to run the script as Domain Admin rather than Farm Admin, and hey presto the property got created (validated with Get-Property), on both the new web app, and the existing one.

Now the new web app is correctly searching the User Domain, as is the root site collection of the existing web app. However the tenant site collection created under that is giving another error now:

Claims Search call failed. Error Message: Object reference not set to an instance of an object. Callstack: at Microsoft.SharePoint.WebControls.PeopleQueryControl.IssueClaimsQuery(String searchPattern, String providerID, String hierarchyNodeID, Int32 pageSize, SPProviderHierarchyTree spgroupTree).

I’m going to try delete the site collection for the tenant and recreate it all as Domain Admin and see if it works then!

Cheers
Gavin

]]> By: Rob http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-319 Rob Tue, 19 Oct 2010 10:55:36 +0000 http://kipper.org.uk/?p=55#comment-319 I'm more experienced with 2007, rather than 2010, but my understanding is that the same steps are needed to overcome domain trust issues. You didn't mentioning running the step: stsadm –o setapppassword –password MyPassword If you didn't first set the encryption key, you can't store the domain password to access the other domains. This could cause the failure to store the value highlighted by the use of the getproperty command. You also don't mention the nature of the trusts, so it's difficult to give much advice. 2010 is much more strict than 2007 out of the box - only the local domain will be searched now, unlike 2007. Of course, there is another potential issue with trust relationships over domains - the ports need to be opened. Depending on the nature of the "resource" domain, they may well be safeguarded over the network. Off the top of my head, you need at least 88, 139 and 445 open. You also need to make sure that DNS is set correctly - if domain resolution on your local domain doesn't point you to the correct remote domain servers, the resolution won't work. Other possibilities include slightly incorrect syntax in your instruction. First, you need to make sure you are specifiying the specific top level web application, not the server. If your web application path is http://exampledomain.org/sites/ then specifying stsadm -o setproperty -url http://exampledomain.org -pn “peoplepicker-searchadforests” -pv “domain:domainname.co.uk,DOMAIN\ADUserAccess,xxxxx” won't work - it has to be the full web application URL. Next, specifying the domain is rather a pain too. you need to specify all the domains involved, which will include the local domain, not just the remote user domain. You need to make sure you specify the AD domain name, which isn't necessarily the same as the email address or usernames, depending on the config - many use abstract *.local domain names. putting it together from these examples, you'd need something like: stsadm –o setapppassword –password MyPassword followed by: stsadm -o setproperty -url http://exampledomain.org/sites/ -pn “peoplepicker-searchadforests” -pv “domain:resourcedomain.local;domain:userdomain.local,USERDOMAIN\ADUserAccess,xxxxx” I’m more experienced with 2007, rather than 2010, but my understanding is that the same steps are needed to overcome domain trust issues.

You didn’t mentioning running the step:

stsadm –o setapppassword –password MyPassword

If you didn’t first set the encryption key, you can’t store the domain password to access the other domains. This could cause the failure to store the value highlighted by the use of the getproperty command.

You also don’t mention the nature of the trusts, so it’s difficult to give much advice. 2010 is much more strict than 2007 out of the box – only the local domain will be searched now, unlike 2007. Of course, there is another potential issue with trust relationships over domains – the ports need to be opened. Depending on the nature of the “resource” domain, they may well be safeguarded over the network. Off the top of my head, you need at least 88, 139 and 445 open. You also need to make sure that DNS is set correctly – if domain resolution on your local domain doesn’t point you to the correct remote domain servers, the resolution won’t work.

Other possibilities include slightly incorrect syntax in your instruction. First, you need to make sure you are specifiying the specific top level web application, not the server. If your web application path is http://exampledomain.org/sites/ then specifying

stsadm -o setproperty -url http://exampledomain.org -pn “peoplepicker-searchadforests” -pv “domain:domainname.co.uk,DOMAIN\ADUserAccess,xxxxx”

won’t work – it has to be the full web application URL.

Next, specifying the domain is rather a pain too. you need to specify all the domains involved, which will include the local domain, not just the remote user domain. You need to make sure you specify the AD domain name, which isn’t necessarily the same as the email address or usernames, depending on the config – many use abstract *.local domain names. putting it together from these examples, you’d need something like:

stsadm –o setapppassword –password MyPassword

followed by:

stsadm -o setproperty -url http://exampledomain.org/sites/ -pn “peoplepicker-searchadforests” -pv “domain:resourcedomain.local;domain:userdomain.local,USERDOMAIN\ADUserAccess,xxxxx”

]]> By: Gavin Pollock http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-318 Gavin Pollock Fri, 15 Oct 2010 15:00:31 +0000 http://kipper.org.uk/?p=55#comment-318 Hi there, We have just setup a multi-tenancy SP 2010 environment, where the User domain is separate from the Resource (Server) domain. I have setup a hostname based site collection for a test company and everything seems to be working correctly, including the User Profile Application correctly retrieving their profiles from the User domain (when you specify the OU of the company with the Set-SPSiteSubscriptionConfig cmdlet + in conjunction have a Sync Connection setup to retrieve the accounts from the other domain) But the People picker just isn't playing ball. I am running the command: stsadm -o setproperty -url "http://app01" -pn "peoplepicker-searchadforests" -pv "domain:domainname.co.uk,DOMAIN\ADUserAccess,xxxxx" as I thought maybe this was required in addition. But then the result of the Get command to check is that the property doesn't exist: stsadm.exe -o getproperty -url http://app01 -pn "peoplepicker-searchadforests" Any ideas!? Thanks Gavin Hi there,
We have just setup a multi-tenancy SP 2010 environment, where the User domain is separate from the Resource (Server) domain.

I have setup a hostname based site collection for a test company and everything seems to be working correctly, including the User Profile Application correctly retrieving their profiles from the User domain (when you specify the OU of the company with the Set-SPSiteSubscriptionConfig cmdlet + in conjunction have a Sync Connection setup to retrieve the accounts from the other domain)

But the People picker just isn’t playing ball.
I am running the command:
stsadm -o setproperty -url “http://app01″ -pn “peoplepicker-searchadforests” -pv “domain:domainname.co.uk,DOMAIN\ADUserAccess,xxxxx”
as I thought maybe this was required in addition. But then the result of the Get command to check is that the property doesn’t exist:
stsadm.exe -o getproperty -url http://app01 -pn “peoplepicker-searchadforests”

Any ideas!?
Thanks
Gavin

]]> By: Tom http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-283 Tom Fri, 22 Jan 2010 20:50:49 +0000 http://kipper.org.uk/?p=55#comment-283 Also we have multple domains as well, all are two way and verified no issues. only one domain has this issue default and another have no issues I can find those accounts. Also we have multple domains as well, all are two way and verified no issues.
only one domain has this issue default and another have no issues I can find those accounts.

]]> By: Tom http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-282 Tom Fri, 22 Jan 2010 20:48:57 +0000 http://kipper.org.uk/?p=55#comment-282 We have the exact problem accept we have a two way trust and peoplepicker is only finding users inside their own sites. We have verified that the property is not set it states "NO" We have run almost in not all STSADM commands available no affect. Reuilt the SSP's and all WFE'S No affect. Some users can sign in but have no access just get read only and some get request access page. If they get request access page I can then add them. Very weird scenario and have no clues this issue has been happening now for like 2 months and no body seems to have a clue not even Microsoft We have the exact problem accept we have a two way trust and peoplepicker is only finding users inside their own sites.
We have verified that the property is not set it states “NO”
We have run almost in not all STSADM commands available no affect.
Reuilt the SSP’s and all WFE’S No affect.
Some users can sign in but have no access just get read only and some get request access page.
If they get request access page I can then add them.
Very weird scenario and have no clues this issue has been happening now for like 2 months and no body seems to have a clue not even Microsoft

]]> By: Rob http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-166 Rob Mon, 26 Oct 2009 12:40:32 +0000 http://kipper.org.uk/?p=55#comment-166 Hi Tom - hopefully the new post on More People Picker Issues will be helpful - http://kipper.org.uk/index.php/2009/10/more-people-picker-issues/ Hi Tom – hopefully the new post on More People Picker Issues will be helpful – http://kipper.org.uk/index.php/2009/10/more-people-picker-issues/

]]> By: Tom http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-165 Tom Fri, 23 Oct 2009 19:34:53 +0000 http://kipper.org.uk/?p=55#comment-165 Few details first We have a MOSS 2007 FARM AND 3 DOMAINS all have a two way trust. We have over 78 sites all of which stopped with no known reason from being able to find users that are in one of the domains we can find the users in the view profiles yet we can no longer find users using peoplepicker for any users from the one domain. We have tried this command you have provided and they come back with commandline error stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:full domain name,-userlogin domain\username password –url http://webapp url Any help would be great we have been stumped for over a week, Few details first
We have a MOSS 2007 FARM AND 3 DOMAINS all have a two way trust.
We have over 78 sites all of which stopped with no known reason from being able to find users that are in one of the domains we can find the users in the view profiles yet we can no longer find users using peoplepicker for any users from the one domain.
We have tried this command you have provided and they come back with commandline error
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:full domain name,-userlogin domain\username password –url http://webapp url

Any help would be great we have been stumped for over a week,

]]> By: Gene http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-151 Gene Thu, 23 Jul 2009 02:56:10 +0000 http://kipper.org.uk/?p=55#comment-151 Hi, This is exactly what I am looking for. I am currently setting up an extranet at my work. Qustion. How do you incorporate filter strings to the above example? For example, I want to return only accounts that are active. Thanks Hi,

This is exactly what I am looking for. I am currently setting up an extranet at my work. Qustion. How do you incorporate filter strings to the above example? For example, I want to return only accounts that are active.

Thanks

]]> By: Chandrika http://kipper.org.uk/index.php/2009/05/the-sharepoint-peoplepicker-isnt-showing-users-from-a-trusted-domain/comment-page-1/#comment-79 Chandrika Fri, 22 May 2009 05:16:36 +0000 http://kipper.org.uk/?p=55#comment-79 Hi , When i login with external user in to the sharepoint site i am not able to see all AD users but when log in with AD user then i am able to see all the users from the domain in people picker. we are using ECTS to add External user. Please help me solve this issue its very critical. Thanks in advance Hi ,
When i login with external user in to the sharepoint site i am not able to see all AD users but when log in with AD user then i am able to see all the users from the domain in people picker.
we are using ECTS to add External user.

Please help me solve this issue its very critical.

Thanks in advance

]]>