Unable to Perform a query on a One-Way trust Domains Scenario when an User from the trusted domain performs the query and the SSA Application Pool account is from the Trustee Domain

Article ID: 2344518 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Follow these steps if you are running into an issue with SharePoint Search, where you are unable to perform a Search Query on One-Way trust Domains, when you have a user from the trusted domain performing the query and a SSA Application Pool account from the Trustee Domain.
 
Farm Topology:
•        DomainA and DomainB are in two separate forests with a one way trust relationship from DomainA to DomainB.
•        User (DomainB\User1) has access to content crawled on DomainA.

DomainB\User1 is returned zero results when he or she issues a search query on DomainA.

CAUSE

Security trimming is done in the query processor(QP). In SharePoint 2010, the QP has moved from the WFE to the query servers.
Since the WFE only sends the user’s SID to the QP, AuthZ API fails to authenticate across domains. 
In SharePoint 2007, security trimming was done in the WFE. The AuthZ API worked as the querying user’s group information was available.

RESOLUTION

Run the following Windows PowerShell command: 

$searchapp.SetProperty("ForceClaimACLs",1)

Where $searchapp is the Windows PowerShell object for the search service application to be modified. ($searchapp = Get-SPEnterpriseSearchServiceApplication)

You will not see any confirmation, the SetProperty() command sets the value for ForceClaimACLs in the search administration database to 1.
 
A full crawl is required to enable the new ACL format across the content.

NOTE: Search alerts will be broken after enabling this functionality


Work Around: Use two way trust instead of one way.

MORE INFORMATION

Steps to reproduce:

1) Create a one way trust domains configuration where Domain A trusts Domain B (but not vice-versa)
2) Install SharePoint 2010 on Domain A and configure the SSA to run with a service account on domain A
3) Create a web application by using windows classic or Windows claims
4) Create some content in SharePoint
5) Give the same right to the SharePoint content to a user from Domain A and a user from Domain B
6) Perform a full crawl
7) Try to do a query by using a user from Domain A
8) Try to do a query by using a user from Domain B

EXPECTED Behavior
Both users are seeing the same results in the search result page
CURRENT Behavior
User from Domain A gets the right content but user from Domain B only gets:
a) Content that has been ACLed where the ACL size is greater than 64k (Windows Classic)
b) All the SharePoint content (Windows Claims)
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2344518 - Last Review: August 17, 2010 - Revision: 5.0
APPLIES TO
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
Keywords: 
KB2344518

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com