Sharepoint 2013 People Picker in a Two-Way Forest / Domain Trust

Standard

Introduction

For anyone wanting to allow users from their Active Directory forest or domain two-way trust to be able to access sites in SharePoint 2013 there is a small gotcha. User’s from the trusted domain won’t just show up in the people picker as you’d expect.

But never fear, it’s a fairly simple process to explicitly tell SharePoint 2013 where too look for users. Omnce you’ve done this the people picker and authentication will work immediately, no need to restart IIS or any other SharePoint 2013 farm processes.

Steps to fix Sharepoint 2013 People Picker in a Two-Way Trust

  1. Log into any Sharepoint farm server (we chose our web front end) and open a SharePoint 2013 Management Shell.
  2. List your web applications, run the following command in the shell:
    Get-SPWebApplication
  3. Then run the following command for each of your web applications, substituting the example URL and domains with your web application URL, local and trusted domain and/or forest.

    For a full forest trust:

    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:MY-DOMAIN.local;forest:TRUSTED-DOMAIN.local;domain:MY-DOMAIN.local;domain:TRUSTED-DOMAIN.local" -url http://my-sp2013-site.com.au/

    For a domain trust only:

    stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:MY-DOMAIN.local;domain:MY-DOMAIN.local;domain:TRUSTED-DOMAIN.local" -url http://my-sp2013-site.com.au/

That’s it!

You should now be able to add users and groups from both sides of the trust to your Sharepoint 2013 sites permissions.

Let me know below if this worked for you, or if your have found a better way to achieve this!

4 Comments

  1. Hello, Thanks a lot!!!

    It’s worked for me.

    PS : Before, you must define a secret key with the following command :
    STSADM -o setapppassword -password

  2. We having issues when we try to add user to a SP group or grant user permissions

    There is no error it just spins and no user added.

    We have 2 AD forests.

    If userlogin exists in both forests like domaina\user1 and domainb\user1

    it will find 2 users in people picker but if i pick domainb\user1 it spins and nothing added to the group.

    If there is only domainb\user2 and user2 doesnt exists in domaina then user added just fine.

Leave a Reply