Impersonated Searching against SharePoint

by Vishal 5. November 2013 08:59
Like many typical deployments of SharePoint 2010 and FAST Search Server for SharePoint 2010, I’ve been dealing with one recently that has a search center that uses Kerberos authentication.
 
Consider the following scenario where you have a client web application that uses the SharePoint (with FAST) search service to perform searches and publish the results to users.
 
User -----------> Client Web App ------------> SharePoint
 
In a typical intranet scenario, the user authenticates to the Client Web App using windows authentication. The client then needs to pass the user identity through to the backend SharePoint search service in order to provide the security trimmed results back to the user.
 
The out-of-the-box way to do this with SharePoint, is to set up the Kerberos authentication for the Client Web App and for the SharePoint search center by setting up SPNs for the domain identity that is used as the app pool running the client web app and delegation rights. That way, the user can authenticate to the client web app and the app pool identity can then delegate that Kerberos ticket back to SharePoint when calling the search service. This works but setting up Kerberos is tricky. The other disadvantage that I’ve seen is that this works great when the User’s browser is IE since IE supports NTLM authentication for the intranet by default. For other users that are on Linux systems or Macs or using browsers like Firefox and Chrome, NTLM authentication is tricky and requires browser specific configuration to make it work.
 
Fortunately there’s another way we can make this scenario work but it does require custom development. We can make SharePoint impersonate a user when performing a search using a trusted identity. Here your client web application will be running as the trusted domain identity that will be allowed to impersonate a user.
 
On the SharePoint side, we can create a solution, that deploys a web service that can perform an impersonated search on behalf of a user using the object model. The client application can then call this new service instead of the out of the box search.asmx.
 
Here is the code for the web service that will do impersonated searches:
    class SearchService
    {
        private const string TRUSTED_ACCOUNT = @"domain.com\trustedserviceaccount";
        private const string SEARCH_SITECOLLECTION = "https://searchcenter.domain.com/";

        [WebMethod]
        public DataTable TrustedImpersonatedQuery(string UserName, string QueryText, string[] ReturnFields, SortProperty[] SortFields, int StartIndex, int PageSize)
        {
            DataTable dt = null;
            string NTAccount = HttpContext.Current.User.Identity.Name.ToLower();
            if (NTAccount.Equals(TRUSTED_ACCOUNT)) //only do impersonation if the search is requested by the trusted account
            {
                SPSecurity.RunWithElevatedPrivileges(delegate()
                {
                    using (WindowsIdentity impersonatedIdentity = new WindowsIdentity(UserName + "@domain.com"))
                    {
                        using (WindowsImpersonationContext wic = impersonatedIdentity.Impersonate())
                        {
                            dt = Query(QueryText, ReturnFields, SortFields, StartIndex, PageSize);
                        }
                    }
                });
            }
            else //else do an unimpersonated search
            {
                dt = Query(QueryText, ReturnFields, SortFields, StartIndex, PageSize);
            }
            return dt;
        }

        private DataTable Query(string QueryText, string[] ReturnFields, SortProperty[] SortFields, int StartIndex, int PageSize)
        {
            DataTable dt = null;
            using (SPSite SearchSiteCollection = new SPSite(SEARCH_SITECOLLECTION))
            {
                using (KeywordQuery kq = new KeywordQuery(SearchSiteCollection))
                {
                    kq.ResultsProvider = SearchProvider.FASTSearch;
                    kq.SelectProperties.AddRange(ReturnFields);
                    kq.EnableFQL = false;
                    
                    foreach (SortProperty s in SortFields)
                    {
                        kq.SortList.Add(s.Name, (Microsoft.Office.Server.Search.Query.SortDirection)Enum.Parse(typeof(Microsoft.Office.Server.Search.Query.SortDirection), s.Direction.ToString()));
                    }
                    
                    kq.RowLimit = PageSize;
                    kq.StartRow = StartIndex;
                    kq.QueryText = QueryText;
                    kq.ResultTypes |= ResultType.RelevantResults;
                    dt = kq.Execute()[ResultType.RelevantResults].Table;
                    dt.ExtendedProperties.Add("TotalResults", kq.QueryInfo.TotalResults);
                }
            }
            return dt;
        }
    }
    public enum SortDirection
    {
        Ascending,
        Descending
    }
    public class SortProperty
    {
        public string Name;
        public SortDirection Direction;
    }

Tags: , , , , , ,

.NET | ASP.Net | C# | MOSS | Sharepoint

Add comment




  Country flag
biuquote
  • Comment
  • Preview
Loading


Repliques Montres haute qualite vous aider a economiser beaucoup tout en appreciant la valeur du nom de marque. Vous voulez avoir cette montre luxe haut de gamme suisses sur votre main, mais replica uhren l'achat d'une voiture semble une meilleure option. Oui, c'est la realite. Ces montres symbole de statut social co?tent quelque chose replicas de relojes qui est au-dela pour permettre pour une personne normale. Mais ne desesperez hublot replique montres pas si vous ne pouvez pas vous permettre d'acheter ces montres de luxe. Vous avez une belle occasion d'acheter des montres de prestige nom Replique de la marque. Certaines personnes aiment l'aspect d'un veritable montres au poignet, ou replique rolex montres voulez juste nombreuses montres de marque pour correspondre a leur habillement, mais evitez patek philippe replica orologi de depenser des milliers de dollars que une vraie montre mai cots, ils se tournent vers les replique montre montres bonne replique. Si vous ne voulez pas acheter des montres de veritables montres de haute qualite puis de replicas sont votre choix ideal.