Search not working in federated SAML authentication SharePoint site

 Situation:

Created a web application and chosen “Default zone” for Trusted Identify Provider authentication “iTrust” – (SAML Authentication)

Note: Trusted Identity Provider Authentication enables federated users in this Web application. This authentication is Claims token based and the user is redirected to a login form for authentication.

 

Issue:

Site is working fine but “Search” didn’t work. When checked for the reason, found that the default zone should be windows authentication which makes ‘Search” work.

Resolution:

-         -  Need to create standard default zone windows authentication (Though this is not required – as the site created is for federated authenticated external users with SAML authentication).

-          - Then extend the windows default zone application into Trusted Identity provider “Extranet/Any available zone” site.

 

Step1: Default zone windows authentication web application

-         -- Create a new webapplication and provide the port number and host header you would like

(Ex: Port Number:301, Host Header: auth.extranet.niddk.nih.gov)

-       --   Select SSL and unselect “Anonymous” access (This is based on my requirement)

-         -- Now the url would read like (https://auth.extranet.niddk.nih.gov:301)

-          -- Select windows authentication

-          -- Default zone will be already selected, and it will be in “read” mode. You cannot change the zone, since this is the new webapplication. Very first time all webapplications will be created in “Default” zone

-          -- Click “Create”

-          -- Now webapplication with default zone on windows authentication is created.

-          Then create empty root site collection and that’s is for the 1st step

 

Step2: Extend the web application in different zone with federated authentication

-          -- Select the web application from the CA and click “Extend” from the top ribbon

-         -- Now provide the default port number (80/443) and provide the host header

(Example: Port Number: 443, Host Header: auth.extranet.niddk.nih.gov)

-          -- If you see – Host Header for both default zone and other zone is same. Only differentiating factor is the port number

-          -- Select “Trusted Identity Provider”, my case “iTrust” and unselect “Windows Authentication”.

-        --   After you unselect “Windows Authentication”, you will see an alert “If Windows authentication is not selected on any Zone of this Web application, crawling for this Web application will be disabled”.

-          Above alert message is fully correct – Windows authentication should be enabled for default zone and not for any other zone. In my case I have created windows authentication for “Intranet zone” and created Federated iTrust with default zone. But “Search” is not working.

-          This is not an issue here, as we have already created a web application(step1) with default zone and windows authentication. It will take care of crawling for – its own webapplication, extended web application, site collections created on default web application and site collections created on extended web application (Whether the site collection is path based/host named – doesn’t matter)

-        --   Once the web application is extended, go to front end server, open IIS

-          -- Select the default windows authentication website(with port number in our case- to differentiate from iTrust site, you can even give different host header name) from IIS and select Bindings to add the extended site.

-          -- Select https, port number: <<>>, host header which you gave while creating web application, check “Require Server Name Indication” and select SSL certificate

-          -- Reset IIS

-          -- Now select extended web application and add Bindings

-          -- https, Port number:443, host header and check “Require Server Name Indication” and select SSL certificate

--    --   IIS reset

Comments

Post a Comment

Popular posts from this blog

Power BI Refresh Issue: unable to convert the value '' from the source data type 'VT_BSTR' to the expected data type 'VT_I8.

Image
While scheduling refresh in Power BI, you might get below error . Issue: Unable to convert the value '<pii></pii>' from the source data type 'VT_BSTR' to the expected data type 'VT_I8 .     Cause/Reason Behind: Column datatype mismatch between power bi desktop and power bi cloud report. Solution: Edit query in power bi desktop and change the data type so it’s in sync with Power BI service/cloud. Example: In my case, I have modified a column’s datatype from decimal to whole number (to display no. of days). Now power bi desktop and power bi service synced up and I could perform automatic data refresh.
Read more

Run Powershell script on Remote Computer/Server

Image
PowerShell Remoting allows you to run individual PowerShell commands or access full PowerShell sessions on remote Windows systems.   PowerShell is locked-down by default, so you’ll have to enable PowerShell Remoting before using it. This setup process is a bit more complex if you’re using a workgroup – for example, on a home network — instead of a domain.   Enabling PowerShell Remoting On the computer you want to access remotely, open a PowerShell window as Administrator – right click the PowerShell shortcut and select Run as Administrator.   To enable PowerShell Remoting, run the following command (known as a cmdlet in PowerShell):  Enable-PSRemoting -Force This command starts the WinRM service, sets it to start automatically with your system, and creates a firewall rule that allows incoming connections. The -Force part of the command tells PowerShell to perform these actions without prompting you for each step     Workgroup Setup If your computers aren
Read more

SPDActivities - DP.SharePoint.Workflow - Workflow failed to run

Image
One of my SP 2016 application is using SPDActivities of Email extended feature of DP.SharePoint.Workflow to provide custom "From" address. But customers started to complain that they are not getting reminder emails anymore. Find below my STAR analysis, Situation : Recently I was facing an issue - Approval workflow failed to run. Customers not getting reminder emails anymore. Task : - Planned to look into SharePoint services, IIS site, web.config files (WFE and App Server), Latest patch/MS update/CU, Users permission. Analysis : Started looking into each below items,  - SharePoint Timer Service and Administration services were running and good - Account which is running the workflow got required permission - DP.SharePoint.Workflow got activated for the web application - Checked into web.config file in WFE server and App Server for below sections Under <SafeControls> below 3 lines need to added both in WFE and App server web.config files,
Read more