Selective Authentication can Kill the People Picker in a Two-Way Trust

One thing to watch out for in a two-way trust scenario with the People Picker.  Typically with the People Picker in a two-way forest trust, you do not have to make any changes to SharePoint to resolve users in the target trusted forest.

However, if the Administrators of the target forest have chosen to implement Selective Authentication, you’ll run into an issue where by users cannot be resolved in the remote domain.

SelectiveAuthentication

The ULS log will display the following (this was a search for ‘user’):

Additionally, a Network Monitor trace from the SharePoint server will show the following entry at the time of the attempted search:

SelectiveAuthKerberos

In this case, 10.10.20.18 is the SharePoint server, a member of Nauplius.local, and 10.10.20.25 is the Domain Controller for Contoso.local.  With Selective authentication in place and with the Application Pool service account not having any explicit rights in Contoso.local to resolve users, we receive KDC_ERR_POLICY.  In order to resolve this issue while maintaining Selective Authentication, add the Application Pool account (or any account needing to resolve users in the remote domain using the People Picker) the Allowed to Authenticate right in the Domain Controller computer objects in the remote domain.  Make sure to do this for each Domain Controller computer object in the remote domain that SharePoint Server is able to authenticate to.

AllowedtoAuth

 

Given no Kerberos tickets were previously granted by Contoso.local to, in the above example, to NAUPLIUS\s-sp2010apppool, there is no need to log the account out of the SharePoint server(s) (in other words, iisreset).

10 Comments

  1. Is this for all authentication scenario or just kerberos? Also what stsadm command needs to be run for this scenario?

  2. I have a two way trusts with different domain in same forest as sharepoint server. I have 2 way trust with another forest but those users will not resolve in people picker unless i run stsadm -o setproperty “Forest:abc.xyz.com”. i do not have to set password or pass user name/password, just need to run setproperty with forest name. Is that normal?

  3. I am not able to get to the link. Even if i split up the links in two parts with http and https, first one is nothing and second one asks for user name and password

  4. That is one more good thing to know. But my problem is little bit different. Even if forest has 2 way trust, i am not able to find user from that forest until i set up stsadm command property with that forest name. After that users are resolved in people picker and are granted access and everything works fine. Does people picker only resolves domain with 2 way trust in same forest as sharepoint or it should happen to domains with 2 way forest trust outside sharepoint forest too?

    • Yes, it does work inter-forest. There could be other issues, as well, such as Kerberos auth mis-match, especially if you’re using different versions of Windows for Domain Controllers on each forest’s PDC Emulator. A Netmon/Wireshark would be able to provide more information.

  5. even for plain claims/ NTLM kerberos auth makes difference?

Leave a Reply