Sharepoint Cross Forest-Trust Users How to add

There are documented steps needed to allow the Sharepoint site to add,pick users from a one-way trusted forest. This is what we have setup for our TrustedForest–> LocalDomain (also set as a selected trust).

Though I’d swear I didn’t have to do this on the first Sharepoint installation on Server1 but nothing I research or tried worked on second/third installations efforts. So I must have done such (a year ago) and after following the steps outlined below I’m able to add users from the trusted forest.

Sites quoted/researched for this solution,

  1. http://technet.microsoft.com/en-us/library/cc262051.aspx
  2. http://blogs.msdn.com/joelo/archive/2007/03/08/cross-forest-multi-forest-configuration-additional-info.aspx
  3. http://blogs.msdn.com/sharepoint/archive/2006/03/15/552331.aspx
  4. http://technet.microsoft.com/en-us/library/cc263460.aspx

On each server that has the Sharepoint front-end (front-end Web server) (WFE) you need to set an encryption key. This is done using the command prompt and STSADM.exe tool.

> STSADM.exe –o setapppassword –password {some password}

Replace {some password} with your password to be used for this encryption – any unique string will do.

Next on one of the WFE set the list of forests to search and the account that can be used to access the one-way trusted forest, again using the STSADM.exe tool. You must supply a username/password with permissions in the trusted domain/forest for AD access.

> STSADM.exe -o  -url http://your.sharepoint.site setproperty -pn "peoplepicker-searchadforests" -pv "domain:trusted.domain.dns”,username,password

Breaking down this command:

Command/Property Value Description
-url url of website I think it needs to match your Default access map from Central Administration
-setproperty  
-pn:property name “peoplepicker-searchadforests”
documentation seems to vary on if the dbl-quotes are needed but it worked this way.
-pv:property value “domain:dns of domain,username,password
again the dbl-quotes around the value. dns of the domain and comas separating the username and password of user authorized in trusted domain for access to trusted domain’s AD. Note neither the username or password can have comas in them with this syntax.