Tuesday, May 8, 2012

SP2010 Search one-way trust domain

In a multi-domain environment where is one way trust between domanis search does not return security trimmed results for either one of the domains. 

Error in ULS: 
AuthzInitializeContextFromSid failed with ERROR_ACCESS_DENIED. This error indicates that the account under which this process is executing may not have read access to the tokenGroupsGlobalAndUniversal attribute on the querying user's Active Directory object. Query results which require non-Claims Windows authorization will not be returned to this querying user. da324c89-8a72-4b2b-a2b9-ed5cab78c16d

This is because the search service accounts do not have required permissions to gather ACLs for the domain account who issued the search query. Resolution is to force search service app to use Claims to store acl information and for security trimming the service account do not need to talk to domain controllers to get acls.


No comments:

Post a Comment