support the secondary domain with Classic authentication for SharePoint people picker

Question

We migrated few SharePoint 2010 site collections to SharePoint 2013 but had to use classic authentication to preserve the users that were already in groups.

We have 2 AD domains one-way trust.

The problem now is that people picker in these site collections only show, existing users from the trusted domain and for new users, only {trusted domain}{user id} is possible for adding new user from the trusted domain.

So I performed:

STSADM.exe -o setapppassword -password <> STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Main.local, main\me,myPassword; domain:second.local, main\me,myPassword" -url https://sites.contoso.com/

Now I could not even add users using {trusted domain}{user id}. No way to add any users from the trusted domain

I checked the properties Peoplepicker_peopleeditoronlyresolvewithinsitecollection and Peoplepicker_onlysearchwithinsitecollection they are either 'No' or do not exist.

What else can I do to support the secondary domain?

Answer 1

couple of pointers 1. For first domain there is no need to specify the password, Appliction pool service account should be part Domain Users and able to query its own domain. 2. As you have one way trust you cannot use account from your main forest to authenticate against one-way trust domain.

So your command should look like:

STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Main.local; domain:second.local, second.local\me,myPassword" -url https://sites.contoso.com/

3. There is one more thing that may happen and that is lack of the permission on registry keys. Fire up the process monitor from system internals (on all FrontEnds) filter by access denied.

You might see access denied against the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure

Add the WSS_WPG with the read permission to that key.