Installing K2 Blackpoint / Blackpearl in a one way trust environment you need to run the K2 server service account & application pool using an account from the ‘trusted’ domain. It is also recommended that you install K2 components using this account:

Note: It is recommended to install all K2 components using the K2 Service Account. Log on to the server as the K2 Service Account before installing.

However if you try you will get the following error:

“The K2 Setup Manager requires the logged on user to have domain user privileges to proceed”

As you are in a one way trust environment you cant easily give the required permissions (if at all) so the work around is –

“If you have a scenario where you have multiple domains, you can disable the Installer’s domain check. 1. Please browse to the directory where you are executing the installation files from. 2. Look for an configuration file called product.config. This file will reside in the installer directory. 3. Please edit the file and change the Domainusercheck from true to false as shown below. 4. Save the file and execute the setup.exe again.

setting key=”domainusercheck” value=”false”

source: K2underground

More From pstilgoe

• Auto populate your InfoPath form with the current user name
• Deploying K2 process: Error occurred adding the feature to the farm Server was unable to process request. —> Access denied.
• How to make the filter choices display by default in the DVWP

Ask pstilgoe To Recommend Your Posts

If you have you Sharepoint 2010 Farm setup in one domain & your users are in a seperate domain using a one way trust, when they perform a search they will not return any search results. This is because the account running the app pool for the search query service is running using a domain account on the trusting domain.

This account has no rights on the domain where the users sit to determine how the search results should be security trimmed etc. My initital thought was we need to run the search query app pool account using an account on the same domain as the users which does / will work.

However a better way is to run the following powershell command:

$searchapp.SetProperty("ForceClaimACLs",1)

now run a ‘Full Crawl’ and you users should now return search results as expected over the one way trust.

You can display you Search App details with the following command:

Get-SPEnterpriseSearchServiceApplication

Note: After performing the above search alerts will be broken. If you do need search alerts you can try running your search app pool with an account from the user domain.

1. Open Command Prompt.
2. Type: netdom trustTrustingDomainName/d:TrustedDomainName/add

TrustingDomainName – Specifies the DNS name (or NetBIOS name) of the trusting domain in the trust being created.

TrustedDomainName – Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust being created.

• To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups [http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx], Default groups [http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx], and Using Run as [http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx].
• To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
• This command-line method requires the Netdom Windows support tool. For information about installing Windows support tools, see Related Topics.
• Other switches can be used to assign a password or determine the direction of the trust. For example, to make a two-way, transitive trust, you can use the following syntax:
netdom trustTrustingDomainName/d:TrustedDomainName/add/twoway
• To view the complete syntax for this command, at a command prompt, type:
netdom trust | more

One Way trust validation

Inbound
————–

LDAP 389 UDP and TCP
MS DS 445 TCP
DCE Endpoint resolution – portmapper 135TCP
Netlogon fixed port

Using object / people picker

Outgoing
—————
LDAP 389 UDP and TCP
LSA fixed port
Kerberos 88 UDP
DCE endpoint 135 TCP

Netlogon to external forest with NTLM

Outgoing
————

DCE endpoint 135 TCP
netlogon fixed port

If you have your Sharepoint farm hosted in a different domain to your users you will notice that the people picker only looks at its local domain, ie does not list any users from the Internal / User domain. Luckily you can get round this fairly easily:

Run this command on all Sharepoint servers in your farm:

stsadm -o setapppassword -password <AnyPasswordYouWant>

Then run this commmand for each web app:

stsadm.exe -o setproperty -url <YourWebApp> -pn "peoplepicker-searchadforests" -pv "domain:<YourDomain>,<Domain Account>,<password>"

You should now be good to go & pull people & resolve names from both domains.