Configuring SharePoint 2010 Search in a one-way trust scenario

by Matt Stratton on June 1, 2010

Let me just start out by saying that I think that SharePoint 2010 is pretty darn awesome. The user experience is three billion times better than previous versions, and the list of amazing features is miles long.

That being said, I’m starting to think that Microsoft didn’t really do a lot of testing of this product in a multi-domain, one-way trust scenario. Let us assume the scenario below:

In this scenario, the domain SERVER trust ACCOUNT, but not vice-versa

My SharePoint 2010 farm is in Server, but all user accounts are in ACCOUNT. This is a one-way trust, and a fairly common corporate scenario.

The Search Symptom

After configuring SharePoint Search and successfully crawling some content sources, I was never able to return any search results. People results would show up, but no content from the SharePoint sites. Additionally, when I looked at my Scopes in Central Admin, they showed no items…but the crawl log showed all the results.

For Admin Eyes Only!

After spending hours trying to debug this (going so far as to even completely delete the Search Service application and recreate it), I came across this post on MSDN:

At first, I thought this didn’t apply to me, as I was connecting at ACCOUNT\USER, who was a farm admin as well as a site collection admin. But then I came across another post:

I wasn’t seeing that exact error, but it made a bit of a lightbulb go off for me. On a whim I tried logging in as SERVER\ADMIN…and voila! Search results appeared!

So now what?

This was all well and good, but it didn’t solve my problem. I needed ACCOUNT users to get search results too. The issue seemed to be that the app pool for the Search query component was running as a service account in the SERVER domain…and that account didn’t have any rights in ACCOUNT to determine the security trimming for the user doing the search. Long story short, I needed that app pool to run as an ACCOUNT account.

That being said, when I went to register the ACCOUNT account as a managed account, it wouldn’t take it. Because, you know, the farm account (I suppose) didn’t have rights in ACCOUNT to pull up any properties about this user:

PowerShell to the rescue!

The GUI wasn’t going to let me add this managed account…but would PowerShell save the day? Turns out that yes, yes it would. Following the insight from Bill Baer’s blog post, I was able to add an ACCOUNT service account using PowerShell…which I could then select as the app pool identity for the Search query component. And after doing so…voila! Search results worked like a charm.

Where do we go from here?

This is just one of the several issues I’ve encountered in our one-way trust scenario with SharePoint 2010. The maddening thing is that all of these issues worked FINE in MOSS 2007…but it seems that with all of the infrastructure changes that happened with 2010…a lot of this stuff got lost along the way.

Reblog this post [with Zemanta]
  • Darren

    Hi Matt, great Blog — I have exaclty the same issue — but I have multiple account domains that I need the users to be able to search from within the content. There are no trusts between the ACCOUNT domains, and a one-way trust between the RESOURCE and the ACCOUNT domain (same as you).

    Any suggestions

  • Satheesh

    Very good article. I am having exactly the same issue. Now when i try to add a new managed account using the powershell command new-spmanagedaccount i get a error “error occured while getting the information about the user ## at ###. The network path was not found.

    • Satheesh

      Got it working.. Thank you.. Excellent Post

      • Canete

        Satheesh, how did you get it to work? Can you provide the PowerShell commands that you use?

        Thank you

  • Dennis

    Thanks for the post.. will def help

  • Pingback: Tweedle Dee & Tweedle Dum - SharePoint 2010 - Avanade XRM Development Blog()

  • Paul

    I am trying to make this fix but I can’t sem to find where I would set ” app pool identity for the Search query component”. Please advise. Thanks Paul

  • Canete

    I’m having the same issue. When I try to add the new managed acoount using the following PowerShell commands:

    $cred = Get-Credential -Credential Domain\UserX
    New-SPManagedAccount -Credential $cred

    I get the following error:
    New-SPManagedAccount : An error occurred while getting information about the user UserX at server Domain: Access is denied
    At line:1 char:21
    + New-SPManagedAccount <<<< -Credential $cred
    + CategoryInfo : InvalidData: (Microsoft.Share…wManagedAccount:
    SPCmdletNewManagedAccount) [New-SPManagedAccount], InvalidOperationExcepti
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewManag

    Is there anything that I'm missing here?

    Thank you

  • Canete

    Matt, can you please explain how you got this to work? It would really help if you could provide examples of the PowerShell commands that you used.

    Thanks again.

    • Satheesh


      Run the SharePoint Management Shell using a account which is part of user domain. to make sure that account is able to access sharepoint, add that account as Farm account. Then execute this powershell script.

  • Paul

    Thank You Matt! Very helpful. I didn’t have exactly the same problem but it solved the issue i was having!

  • Henrik

    This KB can also be used to overcome this obstacle:

  • Nibbel

    Hi Matt, thx for this. Its sounds like my problem here.
    I have SP Foundation 2010 on a Server 2008 Standard (not R2). The Domain came over an samba server, not an AD. I can search with local users on the SP Server but Domain users cant find anything..
    I have followed your text and try
    $cred = Get-Credential
    I gave the right informations in the cred-window (user: DOMAINUSER, Password: ) and i try to add the domain account
    New-SPManagedAccount -Credential $cred
    but it says
    New-SPManagedAccount : The value for {0}-Parameter is not supported..

    + New-SPManagedAccount <<<< -Credential $cred
    + CategoryInfo : InvalidData: (Microsoft.Share…wManagedAccount:
    SPCmdletNewManagedAccount) [New-SPManagedAccount], ArgumentException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewManag

    I cant add the Domainuser account as an managed account and so I cant search with an domain user on this SP server :(
    Any Ideas?

    I have a look on the KB, but I think its a problem.. I have Foundation, not Server.. no CMDlet "Get-SPEnterpriseSearchServiceApplication"

  • Pingback: SharePoint Search – AuthzInitializeContextFromSid failed » Andy Burns’ SharePoint Blog()

  • Tyler Cranston

    This problem has now been identified by Microsoft and a resolution is listed here:

    • Robert Howard

      Thanks Tyler, I had been pulling what little of my hair that was left out trying to resolve this one

  • widget76

    You don’t need managed accoutns, just use the old good STSADM with peoplepicker and searchadforests…

  • Artur Koz┼éowski

    Thank you for that post! After a month of struggling with the issue your post finally fixed the issue.

Previous post:

Next post: