SharePoint 2010 – External Trust Configuration

Today I am attempting to get SharePoint 2010 to work with accounts stored in an Active Directory forest that is external to the SharePoint server.  This would be our “guest forest”.  Lots of tips are available in the net:

It is worth noting that the need to provide a username and password for search domain outside of the SharePoint web server’s domain is based on the type of trust that is present between the SharePoint server domain and the searched domain.  If the searched domain trusts the SharePoint domain (and selective authentication is not being enforced), no account credentials needs to be provided.

I used “” as the external forest to search.  Now the people picker returns results from the external forest.  Good!  Unfortunately, when you go to apply permissions to the external user in a SharePoint site, I get a “No exact match was found. Click the item(s) that did not resolve for more options” error.  What gives?

The following thread seems to touch on this issue, but the resolution is a bit vague:

However, the “Full Metal Architect” page (first link in the bulleted list above) does suggest that using a “forest” search could return more limited search results, because it only queries the global catalog for user properties.  Just for grins, I converted the search scope to “”, did another IIS reset, and now I can add users.  Strange.

Ultimately, to ensure that both local domain and guest domain accounts could be searched and added using the people picker, I had to run the following commands:

stsadm -o setproperty -url [sharepointUrl] -pn peoplepicker-searchadforests -pv ";"


stsadm -o setproperty -pn peoplepicker-searchadforests -pv ";"

(note the abasence of the “-url” parameter in the second command)

I expect one of these commands really was not necessary, but now that things are working the way I want them to, I am going to leave well enough alone.