Users from a trusted domain not resolving in the Central Administration People Picker

I ran into an issue recently with the People Picker in SharePoint 2013. In this case, I had a development VM joined to a domain (habaneros.com) and needed to add a web application user policy for users from another one-way trusted domain (contoso.com).

Diagram showing domain trust and location of farm and users

I configured the peoplepicker-searchadforests property in Central Administration but the users wouldn't resolve.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://CentralAdmin

I tried IIS resets and changing the value of the property a number of times. I ran a Network Monitor capture to compare the people picker query against a query from Local Users and Groups (where the users did resolve). I couldn’t figure it out.

People picker with the name unresolved

Out of frustration, I set the property for the web application to see if it was something weird with Central Administration.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://webapp

I tried to resolve a user in the web application and it worked. Dumbfounded, I went back to Central Administration and the names were now resolving there as well. A light bulb went off in my brain and everything became immediately obvious.

People picker with the user resolved

The web application user policy is a property of the web application, not Central Administration. The users weren’t resolving because I hadn’t yet set the peoplepicker-searchadforests property for the web application. Once both were set, the people picker could then resolve the users:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://CentralAdmin
stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://webapp

Setting the property for both Central Administration and the Web Application should allow you to resolve names when adding a web application user policy for users in a trusted domain.

References

Stories say it best.

Are you ready to make your workplace awesome? We're keen to hear what you have in mind.

Interested in learning more about the work we do?

Explore our culture and transformation services.

Our commitment to reconciliation

Learn how Habanero is responding to the Truth and Reconciliation Calls to Action as a settler-owned company operating on Indigenous territories across what is now called Canada.

Read about our commitment