Unable to Perform a query on a One-Way trust Domains Scenario when an User from the trusted domain performs the query and the SSA Application Pool account is from the Trustee Domain

Symptoms

Follow these steps if you are running into an issue with SharePoint Search, where you are unable to perform a Search Query on One-Way trust Domains, when you have a user from the trusted domain performing the query and a SSA Application Pool account from the Trustee Domain.
 
Farm Topology:
•        DomainA and DomainB are in two separate forests with a one way trust relationship from DomainA to DomainB.
•        User (DomainB\User1) has access to content crawled on DomainA.

DomainB\User1 is returned zero results when he or she issues a search query on DomainA.

Cause

Security trimming is done in the query processor(QP). In SharePoint 2010, the QP has moved from the WFE to the query servers.
Since the WFE only sends the user’s SID to the QP, AuthZ API fails to authenticate across domains. 
In SharePoint 2007, security trimming was done in the WFE. The AuthZ API worked as the querying user’s group information was available.

Resolution

Run the following Windows PowerShell command:

$searchapp.SetProperty("ForceClaimACLs",1)

Where $searchapp is the Windows PowerShell object for the search service application to be modified. ($searchapp = Get-SPEnterpriseSearchServiceApplication)

You will not see any confirmation, the SetProperty() command sets the value for ForceClaimACLs in the search administration database to 1.
 
A full crawl is required to enable the new ACL format across the content.

NOTE: Search alerts will be broken after enabling this functionality.

Work Around: Use two way trust instead of one way.

More Information

Steps to reproduce:

1) Create a one way trust domains configuration where Domain A trusts Domain B (but not vice-versa)
2) Install SharePoint 2010 on Domain A and configure the SSA to run with a service account on domain A
3) Create a web application by using windows classic or Windows claims
4) Create some content in SharePoint
5) Give the same right to the SharePoint content to a user from Domain A and a user from Domain B
6) Perform a full crawl
7) Try to do a query by using a user from Domain A
8) Try to do a query by using a user from Domain B

EXPECTED Behavior
Both users are seeing the same results in the search result page.

CURRENT
Behavior

User from Domain A gets the right content but user from Domain B only gets:
a) Content that has been ACLed where the ACL size is greater than 64k (Windows Classic)
b) All the SharePoint content (Windows Claims)
Properties

Article ID: 2344518 - Last Review: Aug 17, 2010 - Revision: 1

Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2010

Feedback