How to debug the SharePoint People Picker Problems

In complex environments you often have to adapt the SharePoint people picker settings for performance or other business needs reason. In this post I'll show two common problems.

Example 1: The people picker takes too long to find a user.

The szenario is that you search for a user and you wait 1 or longer minute before the user is displayed in the people picker.

One reason for that is often that the whole AD with all subtrees and trusted ADs is searched. This can be easily fixed by setting a filter to the people picker (like shown here).

Another reason can be that there are multiple Domain Controllers which the SharePoint Server tries to contact. There will be a delay if some of them are sitting behind a firewall like in a DMZ. This can be fixed by opening the ports to the DCs or by modifiying the host file, by pointing th IP of the DCs behind the firewall to  DCs in front.

Example 2: Your company consists of multiple branches with their own AD

You can tell the peoplepicker to search multiple domains. If you have a 2-way trusted domains, this problem can be easily fixed with a stsadm command:

 stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:germany.mydomain.com;domain:turkey.mydomain.com" -url http://sharepoint

Replace the domain names and the web application url for your needs. 

How to Debug

We take the example 2. What if you set the stsadm command in the second example but you can't find any user from the other domain ?

I use first a powershell script to check if I can contact the new DC. You have to know a little bit how ldap queries are working to understand the script.

Just adapt the DirectoryEntry setting and enter the login in DisplayUser( login ) at the bottom.

 <#   
   Display user information from AD  
   @author: Ihsan Baris Bikmaz  
 #>  
 clear  
 function DisplayUser($cn) {    
   $strFilter = "(&(objectClass=User)(cn=$cn))"  
   $objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=Users,DC=turkey,DC=mydomain,DC=com")  
   $ds = New-Object System.DirectoryServices.DirectorySearcher  
   $ds.SearchRoot = $objDomain  
   $ds.PageSize = 1000  
   $ds.PropertiesToLoad.Add("displayName")  
   $ds.PropertiesToLoad.Add("co")  
   $ds.Filter = $strFilter  
   $ds.SearchScope = "Subtree"  
   $retArray = @()    
   Write-Host " >> Searching for User with cn: " $cn  
   $ds.Findall() | Sort Path | ForEach-Object {  
      $dname = $_.Properties.Item("displayName");   
      $element = New-Object System.Object  
      $element | Add-Member -type NoteProperty -name CN -value $cn  
      $element | Add-Member -type NoteProperty -name Name -value $dname  
      $retArray += $element  
   }    
   $retArray  
 }  
 $myArray = @()    
 $myArray += DisplayUser("abikes")  
 $myArray


When this script works without any problems. I go further by digging in to the ldap traffic between the SharePoint Server and the DC.

The tool I use for monitoring the traffic is WireShark . Install WireShark on your frontend server. Start it. Select the adapter to connect and start monitoring the network traffic.

Start WireShark

You'll see lots of traffic. Now enter "ldap" in the filterbox and click on apply to only see ldap traffic.

Apply LDAP Filter

The next step is to create ldap traffic. Therefore open any SharePoint Site. Just go to the site actions menu and select Site Permissions. Try to search a user in the new AD. As an example I search a user with the loginname "anncle".

You will see now some traffic in the WireShark. Click on stop monitoring.

Stop monitoring

Click on Edit Menu and then on "Find Packet". Give the loginname you searched for into the search box.

Find Packet

Now you can see the ldap query, the time which the DC's need to respond and which DCs are contacted. With all that information it is easier to debug and find out the real problem.

In my case I check the query which the WFE send to the DC.

Ldap Query

With right click you can copy the query and you can try and modify it with Tools like LdapAdmin.

In my case, by inspecting  the ldap query  I found out that I had a filter which I set prior to improve the performance. By removing the filter from the sitecollection everything worked fine.



Comments

Adam said…
Hey Baris,I am having an issue with the people picker on an SP 2010 site, it uses Active Directory and seems to work correctly if I log into the SharePoint server and access the site, however when I access the site when im not logged into the server the Add button on the people picker seems to be disabled so I cant add the users that I select, do you know why this could be?
February 5, 2013 at 6:04 PM
Baris Bikmaz said…
Hi Adam,
sorry never had that before. There is also no add button on the people picker. Which button do you mean exactly? There are two one with the head and the other with the address book.
February 6, 2013 at 9:58 AM
Adam said…
Hey Baris, when you click the browse button on the people picker a popup opens up allowing you to search for and select the users to be added. The problem is that the Add button on that popup appears to be disabled so I cannot select any users. The Add button only works if im logged into the SharePoint server.
February 7, 2013 at 6:30 PM
Baris Bikmaz said…
Hello Adam,
I checked the code for the picker. There is no permission check or something else. It is a javascript function that enables the button:

"function PickerDialogUpdateAddSelectionButton()
{
var objAddSelButton = document.getElementById('ctl00_PlaceHolderDialogBodySection_AddSel');
if (objAddSelButton != null)
{
objAddSelButton.disabled = (selected.length == 0);
}
}"

For me the error can be:

1.) Reading the js function you have to select in the upper box an account to enable the button. I know it's a stupid answer but sometimes it is the easiest answer.

2.) Because it is a javascript function and you say that on the server everything is fine it can be that you use different browsers, perhaps an unsupported one.

3.) You have a custom Http Handler on your SP Server which perhaps blocks the loading of some scripts like the /_layouts/entityeditor.js file.

Other question: Can you search after users ? And are they resolved when you press enter in the search box ?

February 8, 2013 at 9:54 AM
Unknown said…
Great blog,thanks for sharing this article .Keep posting articles like this .

Sharepoint Developers
April 4, 2013 at 8:12 AM
Sudhir Chekuri said…
I got some useful stuff from this sharepoint blog. Thanks...

April 7, 2013 at 6:59 PM
Post a Comment

Popular posts from this blog

Open SharePoint 2010/2013 Display, Edit, New Forms in Modal Dialogs

Image
If you want to open a SP 2010 or in SP 2013 list item in a modal dialog you have two choices. Using the standard JavaScript functions or creating own functions. How to find which item URL is called If the dialog box appears you don't have an address bar to pick up the called URL. To see which URL is called when you edit or open a list item use the Internet Explorer Developer Tools. Open your source list in the Internet Explorer. Press F12 to open the developer tools. Click on the "Network" tab and then on "Start Capturing" Now click the link you want to track. You'll see the requests listed and you can also copy the urls for your need. SharePoint usually calls the /_layout/listform.aspx with the list parameter. The form then redirects to the appropriate list form. Method 1: Using core functions When using SharePoint 2010 core javascript functions to open elements in dialogs mostly you'll need to know : the ID of the l
Read more

Ways to redirect http requests in SharePoint

Image
The are multiple szenarios when you need a redirect in SharePoint: You've migrated SharePoint into a new URL (e.g http://sp2010 to http://sp2013) You moved a site collection You moved a sub site into a new site collection If you want to redirect in SharePoint without custom solutions you have the following options: Redirect with XML Viewer or Content Editor WebPart You can redirect with JavaScript by inserting a WebPart into the site and adding simple JavaScript. This is easy to configure but redirects only the site in which the WebPart sits (Probably the Mainsite). If users have saved links the their document libraries this method fails, unless you put the same WebPart into the document library. So go to the site you want to redirect and the XML Viewer WebPart. Open the WebPart settings and add the following line of code: <script type="text/javascript"> location.href = "<<the url you want to redirect>>"; </s
Read more

Using WebDav on IIS 7 to access UNC Paths

Image
In this post I want to show you step by step how to connect to a file share using webdav on IIS 7. For this post I assume: that you have already an IIS installed on the server  that you have installed WebDav or enabled the WebDav Feature on IIS. the server on which is IIS installed can reach the file share. 1: CREATE APPLICATION POOL The first step is to create a seperate application pool on the IIS. Open the program "Internet Information Services Manager". Click on "Application Pools" Click on "Add Application Pool" on the right menu Name it "WebDav". Let the rest as it. Right click on the new created Application Pool "WebDav" and select "Advanced Settings". Pay attention to the following attributes: .Net Framework Version : No Managed Code Identity : The identity of the Application Pool should be an account which has permissions to read the file share. Load User Profile : Should be set to "False"
Read more