SharePoint 2010 Search with one-way domain trust
June 24, 2010
The case: we have SharePoint 2010 installed in our DMZ environment (Domain: DMZ.local), which has a one-way trust with our internal domain (Domain: internal.local). We noticed that when a user from internal.local searches for content in the farm, no results are shown. When a user from DMZ.local searches for the same phrase, multiple results are shown.
Both users have the same permissions on the sites. The user from internal.local can browse through all the sites and view all the content. I even tried to make the user Site Collection Admin. No results were shown. Firewalls temporary disabled, nothing.
The problem seems to lie in the domain trust. SharePoint 2010 has a lot more issues regarding domain trusts then SharePoint 2007. After a lot of searching, the final answer came from Johan Kroese: the Search Service Application needs to store it’s ACLs as Claims.
Of course, PowerShell can help us with that:
$SearchApp = Get-SPServiceApplication SearchAppName
This command is undocumented for as far as Google knows, but the implications seem quite clear: the ALCs are now stored as Claims instead of NT tokens.
After that, you also need to migrate your Web Application to Claims Based Authentication. If you are already running in Classic mode, here’s the PowerShell code to switch to CBA:
$WebApp = Get-SPWebApplication https://mywebapp
$WebApp.UseClaimsAuthentication = “True”
This is a one-way migration, you cannot go back to Classic mode!
This resulted in the desired behavior: the user from internal.local could see all the search results.
Once again saved by the community, thanks Johan!