Back to Insights

Users from a trusted domain not resolving in the Central Administration People Picker

I ran into an issue recently with the People Picker in SharePoint 2013. In this case, I had a development VM joined to a domain (habaneros.com) and needed to add a web application user policy for users from another one-way trusted domain (contoso.com).

Diagram showing domain trust and location of farm and users

I configured the peoplepicker-searchadforests property in Central Administration but the users wouldn't resolve.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://CentralAdmin

I tried IIS resets and changing the value of the property a number of times. I ran a Network Monitor capture to compare the people picker query against a query from Local Users and Groups (where the users did resolve). I couldn’t figure it out.

People picker with the name unresolved

Out of frustration I set the property for the web application to see if it was something weird with Central Administration.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://webapp

I tried to resolve a user in the web application and it worked. Dumbfounded, I went back to Central Administration and the names were now resolving there as well. A lightbulb went off in my brain and everything became immediately obvious.

People picker with the user resolved

The web application user policy is a property of the web application, not Central Administration. The users weren’t resolving because I hadn’t yet set the peoplepicker-searchadforests property for the web application. Once both were set, the people picker could then resolve the users:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://CentralAdmin
stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://webapp

Setting the property for both Central Administration and the Web Application should allow you to resolve names when adding a web application user policy for users in a trusted domain.

References

Share