0

We migrated few SharePoint 2010 site collections to SharePoint 2013 but had to use classic authentication to preserve the users that were already in groups.

We have 2 AD domains one-way trust.

The problem now is that people picker in these site collections only show, existing users from the trusted domain and for new users, only {trusted domain}{user id} is possible for adding new user from the trusted domain.

So I performed:

STSADM.exe -o setapppassword -password <> STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Main.local, main\me,myPassword; domain:second.local, main\me,myPassword" -url https://sites.contoso.com/

Now I could not even add users using {trusted domain}{user id}. No way to add any users from the trusted domain

I checked the properties Peoplepicker_peopleeditoronlyresolvewithinsitecollection and Peoplepicker_onlysearchwithinsitecollection they are either 'No' or do not exist.

What else can I do to support the secondary domain?

4

1 回答 1

0

几点建议 1. 对于第一个域,不需要指定密码,应用程序池服务帐户应该是域用户的一部分,并且能够查询自己的域。2. 由于您有单向信任,因此您不能使用主林中的帐户对单向信任域进行身份验证。

所以你的命令应该是这样的:

STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Main.local; domain:second.local, second.local\me,myPassword" -url https://sites.contoso.com/
  1. 还有一件事可能会发生,那就是缺乏对注册表项的权限。通过拒绝访问从系统内部(在所有前端)过滤器中启动进程监视器。

您可能会看到对 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\Secure 的访问被拒绝

将具有读取权限的 WSS_WPG 添加到该密钥。

于 2017-02-22T15:56:13.303 回答