SharePoint 2010 Search with one-way domain trust

June 24, 2010

The case: we have SharePoint 2010 installed in our DMZ environment (Domain: DMZ.local), which has a one-way trust with our internal domain (Domain: internal.local). We noticed that when a user from internal.local searches for content in the farm, no results are shown. When a user from DMZ.local searches for the same phrase, multiple results are shown.

Both users have the same permissions on the sites. The user from internal.local can browse through all the sites and view all the content. I even tried to make the user Site Collection Admin. No results were shown. Firewalls temporary disabled, nothing.

The problem seems to lie in the domain trust. SharePoint 2010 has a lot more issues regarding domain trusts then SharePoint 2007. After a lot of searching, the final answer came from Johan Kroese: the Search Service Application needs to store it’s ACLs as Claims.

Of course, PowerShell can help us with that:
$SearchApp = Get-SPServiceApplication SearchAppName
$SearchApp.setproperty(“ForceClaimACLs”, 1)
This command is undocumented for as far as Google knows, but the implications seem quite clear: the ALCs are now stored as Claims instead of NT tokens.

After that, you also need to migrate your Web Application to Claims Based Authentication. If you are already running in Classic mode, here’s the PowerShell code to switch to CBA:
$WebApp = Get-SPWebApplication https://mywebapp
$WebApp.UseClaimsAuthentication = “True”
This is a one-way migration, you cannot go back to Classic mode!

This resulted in the desired behavior: the user from internal.local could see all the search results.

Once again saved by the community, thanks Johan!


5 Responses to “SharePoint 2010 Search with one-way domain trust”

  1. […] This post was mentioned on Twitter by Joachim Farla [MVP], Martijn Schouten. Martijn Schouten said: Problems with #sp2010 Search & domain trusts? Here's what I did to fix it: […]

  2. Eric Johnson Says:

    You might not need to migrate your web apps to claims to make this work depending on your setup. Just change the search app to claims and do a full crawl and check how things work first.

    • Hi Eric,
      I’ve tried changing just the Search Service App, but that did not fix the issue. Using claims on the Web App was definitely part of the solution in our case.

      • neil hodgkinson Says:

        Eric is right here. Switching the search service to store its acls in claims is all you need to make this work. There must be something else affecting your environment.

  3. […] Martijn Schouten’s Blog: SharePoint 2010 Search with one-way domain trust  […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: