Support for one-way domain trusts

Mar 18, 2011 at 9:11 PM

Hi, perhaps you could include the following:

In the webapplication xml element add a node like this

    <DomainTrust domainName="source.local" isForest="False" />
    <DomainTrust domainName="trusteddomain.local" isForest="False" userName="trusteddomain\username" password="password" />

Then, add the following functions (adapted to fit the autospinstaller xml input from

SetAppPassword expects AppPassword element like the Passphrase element and should be called on each server,

the AddTrustedDomains function should be called from either the foreach in CreateWebApplications in AutoSPInstallerFunctions or in the CreateWebApp function also in AutoSPInstallerFunctions

# ===================================================================================
# FUNC: Set App Password
# DESC: Sets the password use to encrypt the one-way trust lookup account's password
# ===================================================================================
function SetAppPassword([xml]$xmlinput) {
 $type = [Microsoft.SharePoint.Utilities.SPPropertyBag].Assembly.GetType("Microsoft.SharePoint.Utilities.SPSecureString")
 $method = $type.GetMethod("FromString", "Static, NonPublic", $null, @([String]), $null)
 $secureString = $method.Invoke($null, @($xmlinput.Configuration.AppPassword))

# ===================================================================================
# FUNC: Add Trusted domains
# DESC: Adds Trusted domains to the webapplication so the people picker will validate user from that domain
# ===================================================================================
function AddTrustedDomains([System.Xml.XmlElement]$webApp) {
    if($webApp.DomainTrusts.Count > 0)
        if($webApp.DomainTrusts.DomainTrust.Count > 0)
         $webApplication = Get-SPWebApplication $webApp.url

         $searchActiveDirectoryDomains = $webApplication.PeoplePickerSettings.SearchActiveDirectoryDomains

         $currentDomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain

            ForEach ($domainTrust in $webApp.DomainTrusts.DomainTrust)
                $item = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
                $item.DomainName = $domainTrust.domainName;
                $item.IsForest = $domainTrust.isForest -eq $true;
                if ($item.DomainName -ne $currentDomain) {
                    $item.LoginName = $domainTrust.userName;

Mar 21, 2011 at 8:54 PM

One caveat you might add (which is specific to sharepoint and not your script) is that the people picker cannot be configured to use SSL-secured LDAP binding. This is because the DirectorySearcher they use is initialized with a privately constructed DirectoryEntry search root with the default authentication type, which is "Secure." For SSL, you need to set the flag "SecureSocketsLayer." This is a huge limitation and oversight by Microsoft IMO. I put this comment here because somebody searching for this configuration may be looking to find out about this too and the information is nowhere to be found. I had to reverse engineer it via Reflector (against the SharePoint Server 2010 December CU 2010 build.)

Nice script nonetheless.