• DomainA and DomainB are in two separate forests with a one way trust relationship from DomainA to DomainB.
• User (DomainB\User1) has access to content crawled on DomainA.
DomainB\User1 is returned zero results when he or she issues a search query on DomainA.
Since the WFE only sends the user’s SID to the QP, AuthZ API fails to authenticate across domains.
In SharePoint 2007, security trimming was done in the WFE. The AuthZ API worked as the querying user’s group information was available.
Where $searchapp is the Windows PowerShell object for the search service application to be modified. ($searchapp = Get-SPEnterpriseSearchServiceApplication)
You will not see any confirmation, the SetProperty() command sets the value for ForceClaimACLs in the search administration database to 1.
A full crawl is required to enable the new ACL format across the content.
NOTE: Search alerts will be broken after enabling this functionality.
Work Around: Use two way trust instead of one way.
1) Create a one way trust domains configuration where Domain A trusts Domain B (but not vice-versa)
2) Install SharePoint 2010 on Domain A and configure the SSA to run with a service account on domain A
3) Create a web application by using windows classic or Windows claims
4) Create some content in SharePoint
5) Give the same right to the SharePoint content to a user from Domain A and a user from Domain B
6) Perform a full crawl
7) Try to do a query by using a user from Domain A
8) Try to do a query by using a user from Domain B
Both users are seeing the same results in the search result page.
User from Domain A gets the right content but user from Domain B only gets:
a) Content that has been ACLed where the ACL size is greater than 64k (Windows Classic)
b) All the SharePoint content (Windows Claims)
Article ID: 2344518 - Last Review: Aug 17, 2010 - Revision: 1