People Picker, SharePoint and Forest Trusts

Posted by on Apr 1, 2009 in SharePoint, SharePoint 2007

Everything in my SharePoint Farm was working well until ….. I decided to install the recent February 2009 Uber packages from Microsoft, don’t ask me why but I have a habit of trying to keep up to date, even though Microsoft explicitly states when you download the hefty packages that you should only install them if you are experiencing one of the issues listed in the KB article and should wait till the next service pack. Have you ever sat down and read one of these Cumulative Update KB’s, they go on for pages and how am I suppose to know if I am actually a recipient of one of the hundred’s of known issues? So I decided to go ahead and install both WSS and MOSS packages a couple of weekends ago… Well, the result was it broke one of my workflow’s that I had designed in SharePoint Designer and I also wasn’t able to apply permissions to users outside the resource domain using the People Picker. I was scratching my head with regards to the latter, I recall I needed to do something special initially to get SharePoint to enumerate users from other forests so after a quick scavenge I realised I needed to re-run a couple of stsadm commands that I will share with you today.


In way of background, my SharePoint farm is serving users from the local resource domain and 2 other domains that are connected to our network through a one-way selective Active Directory Trust. Sounds complicated, but not too difficult once you get past the hurdles of connecting multi-vendor firewalls to create the tunnel. Once the tunnel has been established, all is needed is the setting up of DNS conditional forwarders and then the Forest Trust. Too easy, my Active Directory Admin can do that with his eyes closed, in my case I was the A.D man! Once you have the Forest Trust in place it’s a piece of cake to then import the A.D users from the other sites into SharePoint to pre-create the user profiles in SharePoint, Done! Here comes the tricky part, especially when you are trying to do this for the first time. You will need to run a couple of stsadm.exe commands in order to allow the people picker to search for users in other forests. Please note that users in the forest that the server is in (that is, a resource forest) are displayed automatically.


Okay, so let’s begin with the commands. By default, the People Picker will user the User Credentials against your Web Application Pool and in a one way trust this won’t work so we will need to run the following setapppassword command on each Web Front End Server in the farm.

Command 1 – To be run on each WFE.

stsadm.exe -o setapppassword -password <yourpassword>

<yourpassword> This could be any string to heart’s desire but must be identically run on each WFE.

Command 2 – To be run on one WFE.

stsadm -o setproperty -url http://SharePointSite:85 -pn peoplepicker-searchadforests –pv “”,<loginname1>,<password1>;””,<loginname2>,<password2>

Now the trick with this command is to ensure you include all your forests in the one command. Running the command twice in my case for connecting 2 other forests did not work, you will need to include them in the single command.

Please also ensure you run command 2 for each Web Application in your farm including My Site.

Below are some reference links to Microsoft’s TechNet site and Joel Oleson’s Blog – SharePoint Land explaining the above commands and usage in a lot more detail. Until then, Happy People Picking!!

Peoplepicker-searchadforests: Stsadm property (Office SharePoint Server)

Cross Forest, Multi Forest Configuration and Additional Info