Enabling Search for Claims Authentication: FBA, Trusted Claims without extending the WebApplication ! Robust


This is a very common requirement at every client using the FBA or Trusted Claims provider for their Extranet Sites. The issues with enabling search are commonly as below:

  1. The login page if its redirected to authentication the STS of the authenticating provider like Windows Live ID or Facebook
  2. If the Active Directory is enabled the node will show up in the People Picker which may be an issue as per security guidelines.

So lets start with the first part and create a custom login page with a Visual Studio 2010 Empty project. We will be checking for the process calling the login page and redirecting it to the right authentication mechanism

  • Windows for the search process i.e. mssearch.exe and redirecting the authentication to the /_windows/default.aspx
  • Forms/Trusted Claims for an web request from the user and redirecting the authentication to the _trust/default.aspx or _forms/default.aspx

Enjoy the code Smilebelow:

using System;
using Microsoft.SharePoint;
using Microsoft.SharePoint.WebControls;
using System.Web;
using System.Diagnostics;

namespace CustomLoginPage.MultipleAuth.Layouts
{
    public partial class login : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (Process.GetCurrentProcess().ProcessName.ToLower().Equals("mssearch"))
            {
                Response.Redirect("/_windows/default.aspx");
            }
            else
            {
                Response.Redirect("/_trust/default.aspx");
            }
        }
    }
}

Deploy this package and set the Custom Sign in page in your webapplication 
image
and rest will be taken care of this page to redirect the requests.
Make sure that you have selected the windows authentication in the Authentication providers for the WebApplication.

For the second part lets run this powershell script which will turn off the “Active Directory” from the search node.

[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
$cpm = Get-SPClaimProviderManager
$ad =  Get-SPClaimProvider -Identity "AD"
Write-Host "Is AD Enabled" $ad.IsEnabled
Write-Host "Do operation to Disable AD"
$ad.IsEnabled=$false;
$cpm.Update();
Write-Host "Is AD Enabled" $ad.IsEnabled
Write-Host "End"

Run the full crawl once to make sure the content is accessed. If you are getting access denied or search errors make sure the content access account of the search has Read permissions on the webapplication.

Hit the url of your extranet site and login and be proud to announce search to your clients Smile

Advertisements

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: