SharePoint People Picker, Audiences And Active Directory Trusts

The following post covers issues I came across when configuring SharePoint 2010 to work with an Active Directory (AD) trust.  In this scenario, SharePoint and user accounts are in domain A and a two-way transitive trust has been created with domain B.  Domain B holds news users who need access to SharePoint.

The first issue was the error below, which occurred when setting permissions for AD users and groups from domain B using the People Picker.

No exact match was found. Click the item(s) that did not resolve for more options

As a two-way trust exists between the two domains and the web application is using Windows authentication, SharePoint should have been able to locate users and groups in the trusted domain.  However, this wasn’t the case and I had to run the commands on this page http://technet.microsoft.com/en-us/library/cc263460.aspx.  The STSADM –o setapppassword –password <password> command has to be run on every SharePoint server running the Windows SharePoint Services Web Application service.  The stsadm.exe –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp> command is run on one SharePoint server running the Windows SharePoint Services Web Application.

The next issue occurred when using the Audience Picker to set an audience on a web part for a group from domain B.  Unlike the People Picker which queries AD, the Audience Picker queries the user profile database for imported users.  In this case I was able to search for the security group from the trusted domain, the group was listed as containing members, but the audience setting failed to work.  This error was caused by a mismatch between the NETBIOS name of domain B and the FQDN, e.g. the NETBIOS name was DOMAINB-XY and the FQDN was DOMAINB.COM.  In order to fix the problem I followed the steps listed here http://blogs.msdn.com/b/russmax/archive/2010/03/20/sharepoint-2010-provisioning-user-profile-synchronization.aspx.  The basic steps are:

  1. Ensure Grant Replicate Directory Changes has been correctly assigned on domain B http://technet.microsoft.com/en-us/library/hh296982.aspx
  2. Set the NetBiosDomainNamesEnabled property to true for the User Profile Service Application
  3. Delete and recreate the AD connection within SharePoint for the import of users from domain B
  4. Import users from domain B.
Advertisements