Searchresults from high trust add-in are missing

Question

I am writing a console app for the purpose of a remote timer job that is using the high trust app only add-in model to access SharePoint by using a certificate. This is test code I created for this example. The add-in works fine using certificates to log in. I only see unexpected behavior when running a search query. So for this example I am not providing all code.

I have 3 test sitecollections in my farm (test1, test2 and test3) When I execute this regular CSOM I get all the sites in my console:

        using (ClientContext clientContext = new ClientContext("http://test.local/test/site1"))
        {
            KeywordQuery query = new KeywordQuery(clientContext);
            query.QueryText = "Path:\"http://test.local/test/*\" AND ContentClass:STS_Site";
            query.RowLimit = 500;//max row limit is 500 for KeywordQuery
            query.SelectProperties.Add("Url");
            query.TrimDuplicates = false;
            SearchExecutor searchExecutor = new SearchExecutor(clientContext);
            ClientResult<ResultTableCollection> results = searchExecutor.ExecuteQuery(query);
            clientContext.ExecuteQuery();


            foreach (var item in results.Value[0].ResultRows)
            {
                Console.WriteLine(item["Url"].ToString());
            }
        }

Output:

• http://test.local/test/site1
• http://test.local/test/site2
• http://test.local/test/site3

Now I have this code snippet (I am using a certificate to connect)

        using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity("http://test.local/test/site1", currentUserWindowsIdentity))
        {
            KeywordQuery query = new KeywordQuery(clientContext);
            query.QueryText = "Path:\"http://test.local/test/*\" AND ContentClass:STS_Site";
            query.RowLimit = 500;//max row limit is 500 for KeywordQuery
            query.SelectProperties.Add("Url");
            query.TrimDuplicates = false;
            SearchExecutor searchExecutor = new SearchExecutor(clientContext);
            ClientResult<ResultTableCollection> results = searchExecutor.ExecuteQuery(query);
            clientContext.ExecuteQuery();
        }

The output in this case is only sitecollection 1

• http://test.local/test/site1

Any ideas why I get only 1 result? The add in has full control persmissions on all three sitecollections. When I change the url:

        using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity("http://test.local/test/site2", currentUserWindowsIdentity))

I only see:

• http://test.local/test/site2

as the result

Update

When I use the root sitecollection url like:

        using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity("http://test.local", currentUserWindowsIdentity))

I do get all the three sites. Is this expected behaviour?

Update

When searching in the sitecollections through the searchbox I get all sitecollections in my result.

Answer 1

I ended up giving the App principal full control on my tenant with this powershell script.

$absoluteWebApplicationUrl = https://localhost

    if(-not $absoluteWebApplicationUrl.EndsWith('/')) {
        $absoluteWebApplicationUrl = "$absoluteWebApplicationUrl/"
}

$AppName = "Provider Placeholder App"
$clientID = "bfeae944-65cb-4335-9ce4-7c024183c465"  
$authRealm = Get-SPAuthenticationRealm -ServiceContext $absoluteWebApplicationUrl;
$AppIdentifier = $clientID  + '@' + $authRealm;

Register-SPAppPrincipal -NameIdentifier $AppIdentifier -Site $absoluteWebApplicationUrl -DisplayName $AppName | Out-Null
Write-Verbose "     *App Registered" -Verbose

$appPrincipal = Get-SPAppPrincipal -NameIdentifier $AppIdentifier -Site $absoluteWebApplicationUrl
if($null -ne $appPrincipal) {
    #Remove-SPAppPrincipalPermission -appPrincipal $appPrincipal -site $absoluteWebApplicationUrl -Scope Site
    Remove-SPAppPrincipalPermission -Site $absoluteWebApplicationUrl -AppPrincipal $appPrincipal -Scope SiteSubscription   | Out-Null
    Write-Verbose "     *App Trust Removed" -Verbose
}

#Set-SPAppPrincipalPermission -Site $absoluteWebApplicationUrl -AppPrincipal $appPrincipal -Scope Site -Right FullControl -EnableAppOnlyPolicy | Out-Null
Set-SPAppPrincipalPermission -Site $absoluteWebApplicationUrl -AppPrincipal $appPrincipal -Scope SiteSubscription -Right FullControl -EnableAppOnlyPolicy | Out-Null    
Write-Verbose "     *App Trust Added" -Verbose

The -Scope parm is key. Setting this to SiteSubscription gives the principal full control on the webapplication. In my case all the site collections on my webapp. In my case I can do this. For setting the permissions per site collection use -scope SiteCollection or -scope site

Answer 2

This could have something to do with the Search Result Source or "Search Scope" for each site collection being specific to itself, whereas the "root" site collection has a scope that defines all site collections.

If you go to the site collections themselves and perform a query via the interface, do you see the same behaviour?

If so, you could probably update the search result source/scope to include all site collections like the root has.