Hi all,
Please refer to TechNet article for these STSADM commands for more info.
You can also use PowerShell as well.
People Picker Control:
SharePoint site has a control called as people picker as show
The address book as highlighted above comes from the site collection. This blog explains well.
People Picker ports (or AD Ports) are as follows:
TCP/UDP 135, 137, 138, 139 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm)
TCP port 750 (Kerberos-IV)
You may request network engineer to open these AD ports for SharePoint to communicate with AD ports.
AD trust
Have one domain and one forest is easy to configure. However, this rarely happens in the real world scenario. Typically, organizations have multiple forests and domains.
Furthermore, having two way trust is not scalable, difficult to manage and could have potential security considerations. In two way trust, resources are shared both ways.
In one way trust, only domain trusts another domain. For e.g. CONTOSO domain trusts FABRIKAM domain.
The below diagram shows explains
SharePoint farm typically have one way trust and once you have configured one way trust, you can authenticate any account from a trusted domain as shown above. Users in Fabrikam does not have permissions.
Issue:
Using the one way trust, you cannot see any accounts from the other domain the people picker as shown in SharePoint 2013.
No results found. (In the Fabrikam domain)
In SharePoint 2007/2010
No results were fund to match your search item. Please enter a new term or less specific term.
A little configuration is required at the SharePoint farm.
Fix:
You need to execute these STSADM command in sequence to get both the CONTOSO and FABRIKAM accounts:
a) STSADM.exe -o setapppassword -password <<KEY>>
Note: Key could be anything but you need it keep is safe.
For e.g. STSADM.exe -o setapppassword -password “ProjectX”
b) STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue "domain:contoso.com,contoso\spfarm,p@ssword;domain:fabrikam.com, fabrikam \aroh,123456" -url http://sharepoint2013.contoso.com
Note: You have to this command for EACH SharePoint web end server.
For single domain, use this command,
stsadm -o setproperty -url https://sharepoint2013.contoso.com -pn peoplepicker-searchadforests -pv "forest:contoso.com"
Troubleshooting
1. Most of issues are related to firewall is not opened from SharePoint 2013 to Active directory server. Trevor Seward (SharePoint MVP) had written a fantastic too called PeoplePicker Port tester to test the connectivity between SharePoint 2013 and Active Directory.
2. Using Microsoft PortQuery to test the open AD ports. It’s applicable for other ports such as Distributed Cache.
3. Error: Cannot retrieve the information for application credential key
You need to have to follow these commands:
a) STSADM.exe -o setapppassword -password <<KEY>>
b) STSADM.exe –o setproperty -url <web application url> -pn peoplepicker-searchadforests -pv forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>
For e.g.
a) STSADM.exe -o setapppassword -password “ProjectX”
While
working a business requirement, we need to configure SharePoint 2013 with AD (for
two different forests), user profile sync service, people picker and related
network requirements to accomplish the task.
User Profile Synchronization service setup along with requires quite an involved SharePoint architecture as well as fair knowledge on networking / firewall concepts.
User Profile Service:
I have had written a blog post about setting and configuring User profile synchronization service. (UPS). It’s pretty complex to configure. User profile stores contains information in users. In most of environments it’s Active Directory (native support) as the source of creating user profile.
Firewall ports for UPS:
User Profile Synchronization service setup along with requires quite an involved SharePoint architecture as well as fair knowledge on networking / firewall concepts.
User Profile Service:
I have had written a blog post about setting and configuring User profile synchronization service. (UPS). It’s pretty complex to configure. User profile stores contains information in users. In most of environments it’s Active Directory (native support) as the source of creating user profile.
Firewall ports for UPS:
·
TCP
/ UDP 389 (LDAP)
·
TCP/UDP
88 (Kerberos)
·
TCP/UDP
53 (DNS)
·
UDP
464 (Kerberos Change Password)
User
Information List:
Each site collection as has a hidden list called as user information list. This list is stored in a table in the content database and exists in each site collection. A user is added to the list when he accesses the site for the first time.
It’s a hidden list and can be accessed only for administrators via this URL:
http://sp2013/sites/_catalogs/users/simple.aspx or
http://sp2013/sites/_catalogs/users/detail.aspx
SharePoint stores this user information at two places:
a) User Profile Store and
b) Site collection
and SharePoint uses this information in sync using two timer jobs:
Each site collection as has a hidden list called as user information list. This list is stored in a table in the content database and exists in each site collection. A user is added to the list when he accesses the site for the first time.
It’s a hidden list and can be accessed only for administrators via this URL:
http://sp2013/sites/_catalogs/users/simple.aspx or
http://sp2013/sites/_catalogs/users/detail.aspx
SharePoint stores this user information at two places:
a) User Profile Store and
b) Site collection
and SharePoint uses this information in sync using two timer jobs:
·
User
Profile to SharePoint Full Synchronization
·
User
Profile to SharePoint Quick Synchronization
SharePoint
internally manages User Profile store and Site collection. At times, they are
out of sync and following STSADM commands has been executed.
Stsadm.exe –o sync –listolddatabases 0
and you can see all the databases and when they have been synced.
The next command also allow you to clear the tables:
Stsadm.exe –o sync –deleteolddatabases 0.
You can run this command to sync:
Stsadm.exe –o sync –listolddatabases 0
and you can see all the databases and when they have been synced.
The next command also allow you to clear the tables:
Stsadm.exe –o sync –deleteolddatabases 0.
You can run this command to sync:
stsadm –o
sync
Please refer to TechNet article for these STSADM commands for more info.
You can also use PowerShell as well.
People Picker Control:
SharePoint site has a control called as people picker as show
The address book as highlighted above comes from the site collection. This blog explains well.
This is the sequence when people picker
searches for a user:
a) It FIRST checks for exact
match. For e.g. if you type in Aroh Shukla in the people picker control,
its checks all the User Information List (a hidden list) within site collection for this Name value or
any SharePoint group.
If there is no exact match, then the control goes to Active Directory in the respect forests (in case you more than 1 forest) and queries all the user object’s Display Name for that match.
If a match is found and if you hover your mouse over it, you can see the user name.
If there is no exact match, then the control goes to Active Directory in the respect forests (in case you more than 1 forest) and queries all the user object’s Display Name for that match.
If a match is found and if you hover your mouse over it, you can see the user name.
b) If step above does not resolve the
user name, the people control searches for profiles or SharePoint groups that
start with the text entered in the control (first name), by
a. Checking the User Information
list within site collection
b. If it could not find, then it searches
Active Directory forest.
c) If step above does not resolve the
user name, the people control searches for profiles or SharePoint groups that
start with the text entered in the control (last name),
a. Checking the User Information
list within site collection
b. If it could not find, then it searches
Active Directory forest.
d) The People Control will try search
any SharePoint groups for that site collection.
To summarize, the People Picker control checks the User Information list within site collection and active directory.
Here is the flow when a user tries to add another user within site collection as follows:
To summarize, the People Picker control checks the User Information list within site collection and active directory.
Here is the flow when a user tries to add another user within site collection as follows:
People Picker ports (or AD Ports) are as follows:
TCP/UDP 135, 137, 138, 139 (RPC)
TCP/UDP 389 by default, customizable (LDAP)
TCP 636 by default, customizable (LDAP SSL)
TCP 3268 (LDAP GC)
TCP 3269 (LDAP GC SSL)
TCP/UDP 53 (DNS)
TCP/UDP 88 (Kerberos)
TCP/UDP 445 (Directory Services)
TCP/UDP 749 (Kerberos-Adm)
TCP port 750 (Kerberos-IV)
You may request network engineer to open these AD ports for SharePoint to communicate with AD ports.
AD trust
Have one domain and one forest is easy to configure. However, this rarely happens in the real world scenario. Typically, organizations have multiple forests and domains.
Furthermore, having two way trust is not scalable, difficult to manage and could have potential security considerations. In two way trust, resources are shared both ways.
In one way trust, only domain trusts another domain. For e.g. CONTOSO domain trusts FABRIKAM domain.
The below diagram shows explains
SharePoint farm typically have one way trust and once you have configured one way trust, you can authenticate any account from a trusted domain as shown above. Users in Fabrikam does not have permissions.
Issue:
Using the one way trust, you cannot see any accounts from the other domain the people picker as shown in SharePoint 2013.
No results found. (In the Fabrikam domain)
In SharePoint 2007/2010
No results were fund to match your search item. Please enter a new term or less specific term.
A little configuration is required at the SharePoint farm.
Fix:
You need to execute these STSADM command in sequence to get both the CONTOSO and FABRIKAM accounts:
a) STSADM.exe -o setapppassword -password <<KEY>>
Note: Key could be anything but you need it keep is safe.
For e.g. STSADM.exe -o setapppassword -password “ProjectX”
b) STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue "domain:contoso.com,contoso\spfarm,p@ssword;domain:fabrikam.com, fabrikam \aroh,123456" -url http://sharepoint2013.contoso.com
Note: You have to this command for EACH SharePoint web end server.
For single domain, use this command,
stsadm -o setproperty -url https://sharepoint2013.contoso.com -pn peoplepicker-searchadforests -pv "forest:contoso.com"
Troubleshooting
1. Most of issues are related to firewall is not opened from SharePoint 2013 to Active directory server. Trevor Seward (SharePoint MVP) had written a fantastic too called PeoplePicker Port tester to test the connectivity between SharePoint 2013 and Active Directory.
2. Using Microsoft PortQuery to test the open AD ports. It’s applicable for other ports such as Distributed Cache.
3. Error: Cannot retrieve the information for application credential key
You need to have to follow these commands:
a) STSADM.exe -o setapppassword -password <<KEY>>
b) STSADM.exe –o setproperty -url <web application url> -pn peoplepicker-searchadforests -pv forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>
For e.g.
a) STSADM.exe -o setapppassword -password “ProjectX”
b) STSADM.exe
-o setproperty -propertyname peoplepicker-searchadforests -propertyvalue
"domain:contoso.com,contoso\spfarm,p@ssword;domain:fabrikam.com, fabrikam \aroh,123456"
-url http://sharepoint2013.contoso.com
I hope this blog post will be helpful.
References:
I hope this blog post will be helpful.
References:
1. UPS Ports http://summit7systems.com/the-superguide-to-user-profile-sync-and-people-picker-in-a-heavily-firewalled-network/
2. People Picker ports:
http://summit7systems.com/the-superguide-to-user-profile-sync-and-people-picker-in-a-heavily-firewalled-network/
http://summit7systems.com/the-superguide-to-user-profile-sync-and-people-picker-in-a-heavily-firewalled-network/
4. User Information List – STSADM
a) http://sharepointchick.com/archive/2009/06/17/user-profiles-and-the-user-information-list-or-userinfo-table.aspx
b) TechNet
a) http://sharepointchick.com/archive/2009/06/17/user-profiles-and-the-user-information-list-or-userinfo-table.aspx
b) TechNet
5. User Information List – PowerShell http://blog.falchionconsulting.com/index.php/2011/12/updating-sharepoint-2010-user-information/
6. How does People Picker works? http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2008/10/09/how-does-person-or-group-column-really-work.aspx
9. Configure People Picker in
SharePoint 2013
https://technet.microsoft.com/en-SG/library/gg602075.aspx
https://technet.microsoft.com/en-SG/library/gg602075.aspx
1 comment:
Hi Aroh
Thanks for the post, lot of good information about people picker.
for my environments, I have both two-way trusted domain and one-way trusted domain. how do I go by to setup stsadm - setproperty -pn peoplepicker-searchforest -pn "........"
can you give me some advice on this
Thanks
Swanl
Post a Comment