Question

We have a SharePoint 2013 web application configured to use Windows/NTLM and a Trusted Identity Provider (ADFS) on the same default zone. If I perform a search as a windows user, I see results. If I perform a search when logged in as an ADFS user, I see no results.

The 2 user accounts I am using to test are in the Owners group. Both can actually browse to the files that I expect to see in the results. The libraries do not have content approval enabled so no need to publish.

I've tried full crawls, and even reset the index and recrawled. I turned logging up to verbose and ran a few queries. I couldn't find anything relevant in the logs, especially about permissions or access. The crawl logs look good too, but obviously things are getting crawled because the windows user gets lots of results.

The ADFS claim was added to the Owners group using LDAPCP from CodePlex. User Profiles are importing fine as far as I can tell. User profiles exist for both my users.

Another thing I tried was setting "ForceClaimACLs" on the search service application as recommended in Search indexing but not returning results in Claims authenticated web apps.

Update:

Based on the suggestion by @kesava, I have reconfigured my web application to have 2 zones. The default zone just uses windows auth and search crawls this. The intranet zone uses ADFS only. This hasn't made a difference as far as I can tell.

I have noticed a new message in ULS but I am not sure if it is relevant. During the query processing it says "IdentityClaim from STS differs from known type". I haven't found any solutions based on this yet. Based on what I have read, this might be because the claim my STS is providing (windowsaccountname) is "undocumented".

I will continue to examine the ULS logs to see if I can tell what is causing no results.

Any suggestions on how I can troubleshoot this further?

Était-ce utile?

La solution 2

This has been resolved by deleting the web application and search service application and recreating them from scratch. Search results now appear as expected for both ADFS and windows users.

I'm not really sure why it wasn't working because I wasn't able to recreate the issue in a different farm.

Also, it turns out the error "IdentityClaim from STS differs from known type" was irrelevant. I still get that even though I am getting results. I think the reason for that warning is that we are using "windowsaccountname" as the identity claim but it is not one of SharePoint's built in claim types. Try running Get-SPClaimTypeEncoding in PowerShell and you won't see it there.

Autres conseils

my suggestion to this kind of environment is to have an extended web application in to a separate zone and then configure the LDAP based user authentication.

This is the more realistic way of handling LDAP or forms based user authentication. so the default zone with windows authentication will be used for search crawling as well as regular windows based AD login.

if that claim isn't listed you need to add it or security trimming will occur for your ADFS userse

Licencié sous: CC-BY-SA avec attribution
Non affilié à sharepoint.stackexchange
scroll top