Solved

Is it possible to pass through authentication to federated search source in SharePoint Server 2010/2013?

Posted on 2016-10-07
9
96 Views
Last Modified: 2016-10-15
We have a SharePoint Server 2010 installed internally and another ASP.NET web application using Windows Authentication (same domain and same set of users as SharePoint). We want to configure ASP.NET web application as an external federated search source on SharePoint, it is running fine with Anonymous authentication for configured Federated Locations (using OpenSearch 1.0/1.1 protocol).

However, we would like to configure SharePoint to pass through or authenticate the ASP.NET web application using the same user account logged on SharePoint Sites. But we haven't found any way to do it yet.

Is that possible? And how to achieve that?
0
Comment
Question by:Duy Pham
  • 4
  • 3
  • 2
9 Comments
 
LVL 39

Expert Comment

by:Kyle Abrahams
Comment Utility
You're looking at single sign-on.  You can use ADFS to achieve that:

https://technet.microsoft.com/en-us/library/hh305235(v=office.14).aspx
0
 
LVL 10

Author Comment

by:Duy Pham
Comment Utility
@Kyle:  Sorry for not to make the question clear that we are looking for a solution without AD FS. It is not because we can't use AD FS. We actually have used AD FS since 2013 for several applications, but this request came from a customer whose IT Department would prefer a solution where they don't have to setup and re-configure their SharePoint Servers using AD FS.

Is there any other option to pass through logged-in user identity from SharePoint Server to external Federated Search Source? We have tried different Credentials option with Federated Locations but none of them works even when testing internally.
0
 
LVL 39

Accepted Solution

by:
Kyle Abrahams earned 500 total points
Comment Utility
Are they both hosted on the same server?  And just to confirm the Sharepoint site is using windows authentication as well?

I found a little bit more info here:
https://social.msdn.microsoft.com/Forums/en-US/f38b4ea1-ab7e-4d55-b64f-01d6db8b02ab/pass-user-credentials-between-sharepoint-web-application-and-aspnet-web-application?forum=sharepointdevelopmentlegacy

But haven't tried anything without adfs.

Just another thought.  It's possible to grab the current user in sharepoint.  You could have a public landing page that accepts the user as an input parameter.  For security I would create a token (guid) that was stored in the DB.

The flow would be:

Sharepoint -> Create Token (stored in DB), Get User -> Redirect anonymous page in application, passing username & token.

Landing page -> Check token against DB, make sure it's still active compared to the user.  If both succeed -> Login () else -> Fail();

I've mimicked SSO for non adfs applications like that in the past.
1
 
LVL 10

Author Comment

by:Duy Pham
Comment Utility
@Kyle: No they are not on the same server. And SharePoint does use Windows Authentication. Maybe we need to configure Kerberos Delegation?

We are actually working on the solution to pass SharePoint User as input parameter to ASP.NET Web Application :). But to be honest, I don't prefer this solution because kinda the same as using AD FS, SharePoint Servers needs to be manually modified with an extra extension page to grab and pass user to ASP.NET Web Application.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 39

Expert Comment

by:Kyle Abrahams
Comment Utility
Kerberos Delegation should work in that case.   Something to look into and understood about re-inventing the wheel.

Here's a guide for Kerberos Setup in Sharepoint:
https://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/

and for the website:
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

I would think they need to have the same service account for the SPN . . . but I run all my apps under a service account anyway.  Not sure if your client has restrictions regarding that.
0
 
LVL 14

Expert Comment

by:SneekCo
Comment Utility
You description of your problem seems to be somewhat confusing, but this may be what you are looking for;

It is possible to use an alternative authentication account when content is searched in SharePoint. That is achieved via the Search Service Administration of Central Administration. Create a search content source as usual, (also applies for federated searches.) Once the content source is created, create a crawl rule, specifying the account to use for the URL that needs to use a different account. (See screen shot).

Keep in mind that this account will only be able to crawl what the account has access to. If you have a security layer on your asp.net application that is using the same domain and users as SharePoint, the search results page will trim those results to show only what the user has access to. This needs to be completely tested however because the application may not be configured correctly to work with SharePoint security trimming.

Hope that helps...
SpecifyAuthentication.png
0
 
LVL 10

Author Comment

by:Duy Pham
Comment Utility
@Kyle: We have succeeded to configure to pass-through SharePoint authentication to my web application. It turns out to be that we only need to configure for Kerberos Delegation particularly for Application Pool Identity running the web application.

@SneekCo: Thanks for your help, but neither security trimming nor fixed search account could cover our needs.
0
 
LVL 10

Author Closing Comment

by:Duy Pham
Comment Utility
Kyle's recommendation is exactly what we are going for since we need to transform (SharePoint) Windows Credentials to SAML based security token for consuming claims-based search service.
0
 
LVL 14

Expert Comment

by:SneekCo
Comment Utility
Glad you got it working...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now