Solved

Is it possible to pass through authentication to federated search source in SharePoint Server 2010/2013?

Posted on 2016-10-07
9
128 Views
Last Modified: 2016-10-15
We have a SharePoint Server 2010 installed internally and another ASP.NET web application using Windows Authentication (same domain and same set of users as SharePoint). We want to configure ASP.NET web application as an external federated search source on SharePoint, it is running fine with Anonymous authentication for configured Federated Locations (using OpenSearch 1.0/1.1 protocol).

However, we would like to configure SharePoint to pass through or authenticate the ASP.NET web application using the same user account logged on SharePoint Sites. But we haven't found any way to do it yet.

Is that possible? And how to achieve that?
0
Comment
Question by:Duy Pham
  • 4
  • 3
  • 2
9 Comments
 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 41834209
You're looking at single sign-on.  You can use ADFS to achieve that:

https://technet.microsoft.com/en-us/library/hh305235(v=office.14).aspx
0
 
LVL 10

Author Comment

by:Duy Pham
ID: 41834335
@Kyle:  Sorry for not to make the question clear that we are looking for a solution without AD FS. It is not because we can't use AD FS. We actually have used AD FS since 2013 for several applications, but this request came from a customer whose IT Department would prefer a solution where they don't have to setup and re-configure their SharePoint Servers using AD FS.

Is there any other option to pass through logged-in user identity from SharePoint Server to external Federated Search Source? We have tried different Credentials option with Federated Locations but none of them works even when testing internally.
0
 
LVL 40

Accepted Solution

by:
Kyle Abrahams earned 500 total points
ID: 41834351
Are they both hosted on the same server?  And just to confirm the Sharepoint site is using windows authentication as well?

I found a little bit more info here:
https://social.msdn.microsoft.com/Forums/en-US/f38b4ea1-ab7e-4d55-b64f-01d6db8b02ab/pass-user-credentials-between-sharepoint-web-application-and-aspnet-web-application?forum=sharepointdevelopmentlegacy

But haven't tried anything without adfs.

Just another thought.  It's possible to grab the current user in sharepoint.  You could have a public landing page that accepts the user as an input parameter.  For security I would create a token (guid) that was stored in the DB.

The flow would be:

Sharepoint -> Create Token (stored in DB), Get User -> Redirect anonymous page in application, passing username & token.

Landing page -> Check token against DB, make sure it's still active compared to the user.  If both succeed -> Login () else -> Fail();

I've mimicked SSO for non adfs applications like that in the past.
1
 
LVL 10

Author Comment

by:Duy Pham
ID: 41834388
@Kyle: No they are not on the same server. And SharePoint does use Windows Authentication. Maybe we need to configure Kerberos Delegation?

We are actually working on the solution to pass SharePoint User as input parameter to ASP.NET Web Application :). But to be honest, I don't prefer this solution because kinda the same as using AD FS, SharePoint Servers needs to be manually modified with an extra extension page to grab and pass user to ASP.NET Web Application.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 40

Expert Comment

by:Kyle Abrahams
ID: 41834426
Kerberos Delegation should work in that case.   Something to look into and understood about re-inventing the wheel.

Here's a guide for Kerberos Setup in Sharepoint:
https://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/

and for the website:
https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

I would think they need to have the same service account for the SPN . . . but I run all my apps under a service account anyway.  Not sure if your client has restrictions regarding that.
0
 
LVL 15

Expert Comment

by:Walter Curtis
ID: 41834634
You description of your problem seems to be somewhat confusing, but this may be what you are looking for;

It is possible to use an alternative authentication account when content is searched in SharePoint. That is achieved via the Search Service Administration of Central Administration. Create a search content source as usual, (also applies for federated searches.) Once the content source is created, create a crawl rule, specifying the account to use for the URL that needs to use a different account. (See screen shot).

Keep in mind that this account will only be able to crawl what the account has access to. If you have a security layer on your asp.net application that is using the same domain and users as SharePoint, the search results page will trim those results to show only what the user has access to. This needs to be completely tested however because the application may not be configured correctly to work with SharePoint security trimming.

Hope that helps...
SpecifyAuthentication.png
0
 
LVL 10

Author Comment

by:Duy Pham
ID: 41844653
@Kyle: We have succeeded to configure to pass-through SharePoint authentication to my web application. It turns out to be that we only need to configure for Kerberos Delegation particularly for Application Pool Identity running the web application.

@SneekCo: Thanks for your help, but neither security trimming nor fixed search account could cover our needs.
0
 
LVL 10

Author Closing Comment

by:Duy Pham
ID: 41844655
Kyle's recommendation is exactly what we are going for since we need to transform (SharePoint) Windows Credentials to SAML based security token for consuming claims-based search service.
0
 
LVL 15

Expert Comment

by:Walter Curtis
ID: 41844988
Glad you got it working...
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now