• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 525
  • Last Modified:

Is it possible to pass through authentication to federated search source in SharePoint Server 2010/2013?

We have a SharePoint Server 2010 installed internally and another ASP.NET web application using Windows Authentication (same domain and same set of users as SharePoint). We want to configure ASP.NET web application as an external federated search source on SharePoint, it is running fine with Anonymous authentication for configured Federated Locations (using OpenSearch 1.0/1.1 protocol).

However, we would like to configure SharePoint to pass through or authenticate the ASP.NET web application using the same user account logged on SharePoint Sites. But we haven't found any way to do it yet.

Is that possible? And how to achieve that?
0
Duy Pham
Asked:
Duy Pham
  • 4
  • 3
  • 2
1 Solution
 
Kyle AbrahamsSenior .Net DeveloperCommented:
You're looking at single sign-on.  You can use ADFS to achieve that:

https://technet.microsoft.com/en-us/library/hh305235(v=office.14).aspx
0
 
Duy PhamFreelance IT ConsultantAuthor Commented:
@Kyle:  Sorry for not to make the question clear that we are looking for a solution without AD FS. It is not because we can't use AD FS. We actually have used AD FS since 2013 for several applications, but this request came from a customer whose IT Department would prefer a solution where they don't have to setup and re-configure their SharePoint Servers using AD FS.

Is there any other option to pass through logged-in user identity from SharePoint Server to external Federated Search Source? We have tried different Credentials option with Federated Locations but none of them works even when testing internally.
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Are they both hosted on the same server?  And just to confirm the Sharepoint site is using windows authentication as well?

I found a little bit more info here:
https://social.msdn.microsoft.com/Forums/en-US/f38b4ea1-ab7e-4d55-b64f-01d6db8b02ab/pass-user-credentials-between-sharepoint-web-application-and-aspnet-web-application?forum=sharepointdevelopmentlegacy

But haven't tried anything without adfs.

Just another thought.  It's possible to grab the current user in sharepoint.  You could have a public landing page that accepts the user as an input parameter.  For security I would create a token (guid) that was stored in the DB.

The flow would be:

Sharepoint -> Create Token (stored in DB), Get User -> Redirect anonymous page in application, passing username & token.

Landing page -> Check token against DB, make sure it's still active compared to the user.  If both succeed -> Login () else -> Fail();

I've mimicked SSO for non adfs applications like that in the past.
1
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Duy PhamFreelance IT ConsultantAuthor Commented:
@Kyle: No they are not on the same server. And SharePoint does use Windows Authentication. Maybe we need to configure Kerberos Delegation?

We are actually working on the solution to pass SharePoint User as input parameter to ASP.NET Web Application :). But to be honest, I don't prefer this solution because kinda the same as using AD FS, SharePoint Servers needs to be manually modified with an extra extension page to grab and pass user to ASP.NET Web Application.
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Kerberos Delegation should work in that case.   Something to look into and understood about re-inventing the wheel.

Here's a guide for Kerberos Setup in Sharepoint:
https://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/

and for the website:
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

I would think they need to have the same service account for the SPN . . . but I run all my apps under a service account anyway.  Not sure if your client has restrictions regarding that.
0
 
Walter CurtisSharePoint AEDCommented:
You description of your problem seems to be somewhat confusing, but this may be what you are looking for;

It is possible to use an alternative authentication account when content is searched in SharePoint. That is achieved via the Search Service Administration of Central Administration. Create a search content source as usual, (also applies for federated searches.) Once the content source is created, create a crawl rule, specifying the account to use for the URL that needs to use a different account. (See screen shot).

Keep in mind that this account will only be able to crawl what the account has access to. If you have a security layer on your asp.net application that is using the same domain and users as SharePoint, the search results page will trim those results to show only what the user has access to. This needs to be completely tested however because the application may not be configured correctly to work with SharePoint security trimming.

Hope that helps...
SpecifyAuthentication.png
0
 
Duy PhamFreelance IT ConsultantAuthor Commented:
@Kyle: We have succeeded to configure to pass-through SharePoint authentication to my web application. It turns out to be that we only need to configure for Kerberos Delegation particularly for Application Pool Identity running the web application.

@SneekCo: Thanks for your help, but neither security trimming nor fixed search account could cover our needs.
0
 
Duy PhamFreelance IT ConsultantAuthor Commented:
Kyle's recommendation is exactly what we are going for since we need to transform (SharePoint) Windows Credentials to SAML based security token for consuming claims-based search service.
0
 
Walter CurtisSharePoint AEDCommented:
Glad you got it working...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now