Claims Authenticated Web Application Site Contents Not Crawling and Indexing on Search Results in SharePoint 2013

Sathish Nadarajan
 
Solution Architect
March 24, 2014
 
Rate this article
 
Views
18711

In this article, let us discuss about a strange behavior of SharePoint 2013 Search.

i.e., The Search Results were not fetching the contents available in Claims Authenticated Web Application. This warning message is shown at the time of modifying the Authentication Provider itself.

clip_image001

But even then, for some security reasons, we are going with the Claims Authentication. At that time, we need our site contents to be crawled and displayed on the Search Results. Let us see a quick work around for this and then feel how easy it is.

Basically, what we are going to do is,

1. Extend the Claims Authenticated Web Application into a Windows Authenticated Web Application.

2. On the Content Source, give the Extended WebApplication as the Source.

3. Create a new mapping on the Server Name Mappings.

Let us how to do these things step by step.

1. Login to other web application and do a trial search. This is to make sure that the search is configured properly.

clip_image003

2. The results are displayed as below.

clip_image005

3. Now go to the claims based site

clip_image007

4. Add a test document.

clip_image009

5. Do a full crawl. Even after a full crawl also, the document will not get listed on the Search Result.

clip_image011

6. Go to Central Administration.

clip_image013

7. Click Manage Web Applicaitons

clip_image015

8. Select the ClaimsBasedSite Webapplicaiton and Extend it.

clip_image017

clip_image018

clip_image019

clip_image020

9. Now, we need to map this web application also to a Certificate. Since this is a ssl enabled web application.

clip_image022

clip_image024

clip_image026

clip_image027

clip_image028

clip_image030

10. Now, we completed the Extension step. Let us go to the Server Name Mappings.

11. Go to Central Administration -> Manage Service Application -> Search Service Application.

clip_image032

12. Click on the Server Name Mappings on the Left Hand Navigation.

clip_image034

13. Select New Mapping.

14. Address for indexing is:  your friendly URL which users accessing

15. Address for display in search results: URL of machine name

16. Reset Indexing data, From search service application

17. Restart the Search Services

18. Run full crawl

19. Search the content

20. Now the content will be displayed properly.

Happy Coding.

Sathish Nadarajan.

Category : Search, SharePoint

Author Info

Sathish Nadarajan
 
Solution Architect
 
Rate this article
 
Sathish is a Microsoft MVP for SharePoint (Office Servers and Services) having 15+ years of experience in Microsoft Technologies. He holds a Masters Degree in Computer Aided Design and Business ...read more
 

How to Provide Custom Attribute as a Claim from ADFS in SharePoint 2013 using PowerShell

Sathish Nadarajan
 
Solution Architect
March 9, 2014
 
Rate this article
 
Views
39754

In the previous article, we saw how to add custom attributes to the Active Directory. In this article, let us see, how to use those attributes as Claims through ADFS. Adding claims to ADFS, already we saw as a part of Configuring ADFS as authentication provider here. Please refer that, if not read already.

To refresh, we added maritalStatus as an attribute on the previous article. On our sharepoint site, we want, this maritalStatus as a Claim after login into the Site.

Now, the steps are

1. Configure the new claims on the ADFS Server.

2. Delete the TrustedIdentityTokenIssuer.

3. Create the SPClaimTypeEncoding for the new claim value

4. Create a new TrustedIdentityTokenIssuer with the new Encoded Claim value

5. Map the SharePoint site to the newly created TrustedIdentityTokenIssuer.

Let us see them one by one.

1. Configure the new claims on the ADFS Server.

We need to Add the claim description. For that, login to the ADFS Server. Open the ADFS management console. By default, the claim description will looks like,

image

Now, we are going to Add our claim Description.

Right click on the Claim Description.

image

Click Add Claim Description.

Enter the values as below.

image

Click OK. The claim Description will get added.

Now, the screen will looks like,

image

Now, we need to add the newly added claim in the Claims Rule of the web application. i.e., the Relying party trust.

Select the Relying Party Trust, Select the web application. Edit Claim rules.

image

image

image

On the LDAP Attributes, we can type as MaritalStatus and on the Outgoing Claim Type, the drop down contains the Claim MaritalStatus, since we added it on the Active Directory. Hence, select that.

Click Ok, and close this screen.

That’s it. We are done with the ADFS Server. Now, move back to our SharePoint Server.

2. Remove the existing TrustedIdentityTokenIssuer.

 Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq "win2008r2 claims provider"} | Remove-SPTrustedIdentityTokenIssuer

3. Remove the existing TrustedRootAuthority

 Get-SPTrustedRootAuthority | where {$_.Identity -eq "Token Signing Cert ADFSAuthenticatedSite"} | Remove-SPTrustedIdentityTokenIssuer

4. Now, let us re-create everything with encoding.

 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 
 Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq "win2008r2 claims provider"} | Remove-SPTrustedIdentityTokenIssuer 
 
 Get-SPTrustedRootAuthority -Identity "Token Signing Cert ADFSAuthenticatedSite" | Remove-SPTrustedIdentityTokenIssuer
 
 
 $a = [char]0x02bc #700 - for Marital Status
 #$b = [char]0x02bd #701 - Incase if we have 2 more Claims needs to be added
 #$c = [char]0x02be #702 - Incase if we have 2 more Claims needs to be added
 
 
 New-SPClaimTypeEncoding -EncodingCharacter $a -ClaimType "http://ss.loc/maritalstatus" -force
 #New-SPClaimTypeEncoding -EncodingCharacter $b -ClaimType "http://dc07.loc/v2/jobtitle" -force - Incase if we have 2 more Claims needs to be added
 #New-SPClaimTypeEncoding -EncodingCharacter $c -ClaimType "http://dc07.loc/v2/application" -force - Incase if we have 2 more Claims needs to be added
 
 
 
 $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:WORKCertificatesADFSCert.cer")
 
 New-SPTrustedRootAuthority -Name "Token Signing Cert ADFSAuthenticatedSite" -Certificate $cert
 
 $map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
 
 $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
 
 $RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
 
 $maritalStatusClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://ss.loc/maritalstatus" -IncomingClaimTypeDisplayName "MaritalStatus" -SameAsIncoming
 
 $realm="urn:sharepoint:sathishserver.ss.loc:20003"
 
 $signInURL="https://Win2008R2/adfs/ls"
 
 $sts = New-SPTrustedIdentityTokenIssuer -Name “win2008r2 claims provider” -Description “My Claims Provider”-realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap,$maritalStatusClaimMap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType
 
 $sts 
 

5. Now, map the created TrustedIdentityToken with the web application.

In Central Administration, go to Manage web application and select the web application.

image

Select the Default.

image

On the Edit Authenticaiton screen, we can see the newly created Identity Provider.

image

Select that and click save. On the screen nothing will happen. Let us close this popup and try login to the site collection. It will ask for the ADFS authentication.

That’s it. Now, let us go back to our claims viewer web part. Now, we will be seeing the newly added attribute will be listed as the claim on the screen.image

 

Now, the newly added webpart will show the newly added claim.

 

Happy Coding.

Sathish Nadarajan.

Author Info

Sathish Nadarajan
 
Solution Architect
 
Rate this article
 
Sathish is a Microsoft MVP for SharePoint (Office Servers and Services) having 15+ years of experience in Microsoft Technologies. He holds a Masters Degree in Computer Aided Design and Business ...read more
 

How to Read claims of a User in SharePoint 2013

Sathish Nadarajan
 
Solution Architect
January 12, 2014
 
Rate this article
 
Views
28282

In this article, let us see, how to retrieve the claims of a logged in User in SharePoint 2013. To achieve that, let us create a web part, so that it would be always helpful while we develop applications, based on the Claims.

Claims are nothing but a specific information about a user. Let me give a brief background about the claims and the usage of claims. In one of our requirement, we were using ADFS for the authentication purpose. We had seen enough information about that on the previous posts. In addition to that, some of the properties needs to be configured on the Active directory itself. i.e., for example, what are the activities a user can do on our portal. That information, we kept as an Attribute on the Active Directory itself. The Attribute name can be like “Activity”. It is a multi valued text.

This Activity will be passed to the SharePoint 2013 by means of a Claim. This claim is known as Custom Claim. How to create a custom attribute and a custom claim and all, we will see on the consecutive articles. Now, let us concentrate on how to read the claims from SharePoint 2013 WebPart.

For our easiness, let us create a web part. On the CreateChildControl method, we are planning to read the claim and bind it in a grid.

The first thing, we need to do is, based on the logged in user, we need to get the IClaimsPrincipal object.

 IClaimsPrincipal cp = Page.User as IClaimsPrincipal;

Now, based on the IClaimsPrincipal, we can get the IClaimsIdentity.

 IClaimsIdentity ci = (IClaimsIdentity)cp.Identity;

Now, based on the IClaimsIdentity, we can Iterate the Claims Collection.

 foreach (Claim c in ci.Claims)
                     {
 }
 

Very Simple right. The entire Code for reading and binding it on the grid is as follows.

 protected override void CreateChildControls()
         {
             try
             {
 
                 // Get the claims
                 IClaimsPrincipal cp = Page.User as IClaimsPrincipal;
                 if (cp != null)
                 {
                     DataRow dr;
                     DataTable claimsTable = new DataTable();
                     claimsTable.Columns.Add("Type", typeof(string));
                     claimsTable.Columns.Add("Value", typeof(string));
 
                     IClaimsIdentity ci = (IClaimsIdentity)cp.Identity;
                     foreach (Claim c in ci.Claims)
                     {
                         dr = claimsTable.NewRow();
                         dr["Type"] = c.ClaimType.ToString();
                         dr["Value"] = c.Value.ToString();
                         claimsTable.Rows.Add(dr);
                     }
 
                     // Standard SPGridView to display our claims table
                     SPGridView claimsGrid = new SPGridView();
 
                     // This eventhandler is used to add the word-break style
                     claimsGrid.RowDataBound += new GridViewRowEventHandler(claimsGrid_RowDataBound);
 
                     // AutoGenerate must be false for SPGridView
                     claimsGrid.AutoGenerateColumns = false;
                     claimsGrid.DataSource = claimsTable;
 
                     SPBoundField boundField;
 
                     boundField = new SPBoundField();
                     boundField.HeaderText = "Type";
                     boundField.HeaderStyle.HorizontalAlign = HorizontalAlign.Left;
                     boundField.DataField = "Type";
                     claimsGrid.Columns.Add(boundField);
 
                     boundField = new SPBoundField();
                     boundField.HeaderText = "Value";
                     boundField.HeaderStyle.HorizontalAlign = HorizontalAlign.Left;
                     boundField.DataField = "Value";
                     claimsGrid.Columns.Add(boundField);
 
                     for (int i = 0; i < claimsGrid.Columns.Count; i++)
                     {
                         claimsGrid.Columns[i].ItemStyle.Wrap = true;
                         // Distribute the columns evenly
                         claimsGrid.Columns[i].ItemStyle.Width = Unit.Percentage(100 / claimsGrid.Columns.Count);
                     }
 
                     claimsGrid.DataBind();
 
                     this.Controls.Add(claimsGrid);
                 }
             }
             catch (Exception ex)
             {
                 this.Controls.Add(new LiteralControl(ex.Message));
             }
         }
 

Once, creating the webpart and deploy them, we will be able to see the webpart on the webpart gallery. Add the webpart to our page. The page will looks like as follows.

image

Download the source code HERE

Happy Coding.

Sathish Nadarajan.

Author Info

Sathish Nadarajan
 
Solution Architect
 
Rate this article
 
Sathish is a Microsoft MVP for SharePoint (Office Servers and Services) having 15+ years of experience in Microsoft Technologies. He holds a Masters Degree in Computer Aided Design and Business ...read more
 

How to Add more than One SharePoint 2013 WebApplication to a SPTrustedIdentityTokenIssuer on ADFS using PowerShell

Sathish Nadarajan
 
Solution Architect
December 12, 2013
 
Rate this article
 
Views
40544

In the previous posts, we saw that how to make ADFS as an Authentication Provider for our SharePoint 2013 WebApplication. But later, I faced an issue that, the Certificate which we are exporting from the ADFS Server and Creating an IssuerID and TrustedIdentityTokenIssuer cannot be changed for other WebApplications. I.e., We cannot create more than one TrustedIdentityTokenIssuer on the SharePoint Environment using the Same Certificate from the ADFS Server. At this point, there is no other option, I could find, how can I export a second certificate from the ADFS Server.

Hence, in the meanwhile, I came to a conclusion that, use the Existing TrustedIdentityTokenIssuer for the new WebApplication also. At that time, if you could see, the script to create the TrustedIdentityTokenIssuer is as follows.

 

 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 
 #Import a token signing certificate by using Windows PowerShell
 
 
 $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:CertsSathishADFSCert.cer")
 
 
 New-SPTrustedRootAuthority -Name "Sathish Seven Token Signing Cert Parent" -Certificate $root
 
 $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:CertsSathishADFSCert.cer ")
 
 New-SPTrustedRootAuthority -Name "Sathish Seven Token Signing Cert" -Certificate $cert
 
 
 
 $realm = "urn:sharepoint:MyWebApplicationURL"
 
 
 $signInURL = "https://MyADFSServerURL/adfs/ls"
 
 
 #create an identity claim(email) mapping
 
 
 $map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming 
 
 
 #create an identity claim(UPN) mapping
 
 
 $upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming 
 
 
 #create an identity claim(Role) mapping
 
 
 $RoleClaimmap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming 
 
 
 #creating a Trustedidentity Token Issuer
 
 
 #$ap = New-SPTrustedIdentityTokenIssuer -Name “Sathish Five Claims Provider” -Description “Sathish Identity Token Issuer” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$upnClaimMap,$RoleClaimmap -SignInUrl $signInURL -IdentifierClaim $map.InputClaimType
 

Here the Parameter realm is attached with a particular WebApplication. What we need to do is, Add our new WebApplication URL too as a ProviderRealm. Basically, the ProviderRealm is a Set of URL Collection. There we can add more than one WebApplication URL. The pattern should “urn:sharePoint:WebApplicationURL”. The PowerShell Script to achieve this is

 Add-PSSnapin "Microsoft.SharePoint.PowerShell"
 
 $sts = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq " Sathish Five Claims Provider "}
 
 $uri = new-object System.Uri("https://MyNewWEbApplicationURL")
 
 $uri
 
 $sts.ProviderRealms.Add($uri, "urn:sharepoint:MyNewWebApplicationURL")
 
 $sts.Update();
 
 $sts 
 

To Consolidate the above steps,

1. To make a WebApplication as a ADFS Authenticated one, we need a https enabled WebApplication. We discussed about that in this article.

2. Add the WebApplication to the RelyingParty Trust on the ADFS Server. We discussed about that in this article and here.

3. Add the WebApplicationURL to the ProviderRealms Collection of the TrustedIdentityTokenIssuer object.

4. Update and do an IISReset of the SharePoint Server. (All the front ends).

5. Change the Authentication Providers of the WEbApplication on the CentralAdministration to Claims Aware and Select the corresponding TrustedIdentityTokenIssuer.

6. Try logging in to the New WebApplication.

That’s it. We are done. Thus, we can add any number of web applications to a single TrustedIdentityTokenIssuer.

Happy Coding.

Sathish Nadarajan.

Author Info

Sathish Nadarajan
 
Solution Architect
 
Rate this article
 
Sathish is a Microsoft MVP for SharePoint (Office Servers and Services) having 15+ years of experience in Microsoft Technologies. He holds a Masters Degree in Computer Aided Design and Business ...read more
 

Leave a comment