How to set up the GSA Resource Kit for SharePoint

Introduction

This document describes a number of possible scenarios to configure and use the Google Search Appliance (GSA) Resource Kit for SharePoint (GSARKS). It is intended to document the most common scenarios, but is not exhaustive. GSARKS is intended to be a set of additional services to help integrate the GSA with a SharePoint farm, specifically to traverse content, authenticate users, and authorize documents for users.

Google Connector for SharePoint

See the introduction here.

Google Search Box for SharePoint

The Searchbox for Sharepoint is deprecated. The last supported version is 3.2.

The Google Search Box for SharePoint replaces the native SharePoint site search with search provided by the GSA, while retaining the look and feel of the native SharePoint search facility. The Google Search Box for SharePoint works with the Google Cloud Connector for SharePoint, which must also be deployed. This provides your users with the speed and relevancy of the GSA along with the convenience of not having to leave SharePoint to perform a search.

The installer for the Search Box is shipped with a default stylesheet that is deployed on the SharePoint host. The stylesheet renders search results with the look and feel of SharePoint.

You can use the Search Box to search all documents indexed by the search appliance, including non-SharePoint content. To restrict search to a limited number of URL patterns, typically a site or a list, you can configure collections in GSA. You can configure the Search Box to search over multiple collections.

Authentication on the Search Box is performed silently. The Search Box uses the currently logged-in user for authorization and does not ask users to enter their credentials again. The Search Box supports the HTTP Basic, Kerberos authentication, and NTLM protocols, with some constraints.

You can customize the result format that search users see, by using the stylesheet locally deployed during the Search Box installation process or by using a stylesheet configured as a front end on the search appliance.

The Search Box takes advantage of the full GSA search protocol, including SharePoint document and item properties that are fed to the appliance by the Google Cloud Connector for SharePoint.

The Google Search Box for SharePoint is enabled on all SharePoint web applications on a machine, which share the same search control. You cannot enable the Google Search Box only on some SharePoint applications on a particular host.

The Google Search Box for SharePoint does not replace the native SharePoint Search Service. The Search Box replaces the search control of the master template. The set of search web parts that come with SharePoint continue to function and still use the SharePoint Search Service.

Requirements

The scenarios in this document have been tested with the following components:

  • Windows Server 2008 R2
  • Microsoft IIS 7.5
  • Microsoft SharePoint 2010
  • GSA 6.14.0.G.28
  • GSA Onboard Connector Manager 2.8.2
  • GSARKS 2.8.2

For other software versions, these or similar steps may work, but they have not been tested during the writing of this scenario.

When changes to existing software is required (such as changes to IIS or SharePoint), make sure that you understand the impact of the changes on your system. Make sure to involve other system administrators as necessary to ensure that these changes do not break existing functionality.

Prerequisites

Authorization

When a user performs a secure search on the GSA, the GSA verifies that the user has access to each result it presents. Before installing the software, decide whether to use early or late binding for authorizing search results for a user. Early binding requires all documents to be populated with Access Control Lists (ACLs), and the GSA must perform group resolution during authentication. The GSA can then perform authorization without contacting the content server during serve time. Late binding involves the GSA contacting the content server (through the connector) to determine whether a user has access to specific documents. The pros and cons of each are:

  Pros Cons
Early Binding Faster authorization. If permissions have changed since the last time a document was traversed, a user could see it in search results even though they do not have access to the document. Documents are generally be retraversed soon after their permissions have changed, but this is not instantaneous.
Late Binding Up to the minute document permissions are queried.
  • Slower authorization.
  • If authorization requests time out, then searches could return no results.

Google recommends early binding, as it provides for much quicker searches.

List of Scenarios

The following scenarios are covered:

  • Using Google Services for SharePoint to index and search SharePoint content, and authenticate users
  • Using Google Services for SharePoint to index and search SharePoint content, and SAML Bridge to authenticate users
  • Using Google Search Box for SharePoint with NTLM

In addition, a guide to installing the GSA Resource Kit for SharePoint is provided, which is referenced in each of the scenarios.

GSA Resource Kit for SharePoint Install Guide

This section describes how to install GSARKS on your SharePoint server. It is referenced from each of the scenarios below, and is placed here because the steps are common to all scenarios.

Parameter Description
Appliance The URL of the search appliance front end. This is typically http://appliance_ip_or_hostname or https://appliance_ip_or_hostname.
URL The value of appliance_ip_or_hostname can be the search appliance host name or IP address. The validity of this URL is checked when it is set, so there must be connectivity between the SharePoint Frontend and the GSA at this time.
Collection The search appliance collection which is queried by search requests; for example, default_collection. You can use one or multiple collections. For complete information, see Searching Over Multiple Collections.
Front End The search appliance front end, which is required when making a search request. You can designate only one front end.
Stylesheet Stylesheets are used to render the search results. When you configure the Search Box, you can deploy the default stylesheet provided with the installer or you can use the search appliance front end stylesheet.
Choose the option Use local stylesheet” to deploy the pre-bundled stylesheet and use it for rendering search results.
Choose the option “Use Search Appliance’s Front End” to use the stylesheet associated with the specified Front End for rendering the search results.
This requires you to configure and setup a frontend on the GSA using the desired stylesheet to have a SharePoint like look and feel.
Serve Method If Public and Secure, then a checkbox is displayed to allow the user to choose which type of search will be performed.
Default Search Type The type of search that is performed by default by the GSA. If the GSA requires a user to authenticate in order to see results from SharePoint, then you should select Public and Secure Search.
Event Log The Search Box for SharePoint logs all messages to the event log. By default, only error messages are logged under the Google Search Box for SharePoint category. For detailed logging select the Verbose option.
Parameter Description
Local SharePoint Web Site URL The SharePoint web site URL for sites hosted on the machine where the custom web services are installed. Enter a valid SharePoint web site URL, starting with http://.
Domain The domain of the user.
Username The name of the SharePoint user who has access to the web site, for example, Administrator.
Password The password for the SharePoint user.
  1. Log in to all SharePoint Frontend Servers as a user with sufficient privileges to install software.
  2. If a previous version of GSARKS is installed, uninstall it.
  3. Start a browser and navigate to the connector download site and download the GSARKS installer to the SharePoint host. Unzip the downloaded file, if necessary, and navigate to the installer.
  4. Double-click the GSARKS installer. The installer starts and displays a welcome panel.
  5. Click Next. The License Agreement screen is displayed.
  6. Accept the License Agreement. and click Next. The Setup Type screen is displayed.
  7. If you want to install Google Services for SharePoint, Google Search Box for SharePoint, and Google SAML Bridge for Windows, select Complete and click Next. If you only want to install one or two of these components, select Custom, click Next, choose the components you would like to install, and click Next.
  8. Click Install.
  9. If you selected to install the GSA Resource Kit for SharePoint, a GSA Resource Kit for SharePoint Port Number configuration dialog is displayed. Follow these steps:
    1. Enter the port number that you would like to use for the Resource Kit. The port must be unused and between 1024 and 65535. The installer creates a web site in IIS with the port number you enter.
    2. Click OK. After the installation process is complete, a web site named gsa-resource-kit is created with two virtual directories, gsa-simulator and saml-bridge.
  10. If you selected to install the Google Search Box for SharePoint, a confirmation dialog is displayed. Click Continue. The Google Search Box for SharePoint - Configuration Wizard is displayed.
    1. Enter in the options, as described below. Click Save.
  11. If you selected to install the Google Services for SharePoint, a Verify Installation dialog is displayed. Enter the appropriate values, as described below, and click Verify. When you are finished, click Close.
  12. If you selected to install the Google SAML Bridge for Windows, a Configuration Wizard dialog is displayed. Enter the GSA Artifact Consumer URL for the SAML Bridge. Most likely, this just involves modifying the hostname in the text box (the default is https://yourgsa/security-manager/samlassertionconsumer).
    1. To raise the logging level, check Enable debug logs.
    2. Click Save.
  13. Click Finish.

Scenarios

Using Google Services for SharePoint to Index and Search SharePoint Content

In this scenario, you will set up the GSA to index SharePoint content, and also let users search for that content from the GSA. Early binding is used here, as it has greater performance.

Background

You will use the connector for SharePoint to traverse the content. Google Services for SharePoint is used to gather ACLs from SharePoint. The connector for SharePoint is used to authenticate a user when a search is performed. Once authentication has been performed, authorization can be performed using either early or late binding. We recommend early binding, due to the benefits described here.

Installation and Configuration

Google Services for SharePoint must be installed, which you will do now.

NOTE: Some of the linked instructions are to previous software versions. Some options might have changed between that version and the versions tested for this scenario.

  1. Allow the GSA to index the content the connector sends.
    1. In the Admin Console, go to Crawl and Index > Crawl URLs and make sure the following string exists in the Follow and Crawl Only URLs with the Following Patterns.
      • ^googleconnector://
    2. Note: If you want to limit the follow pattern to just a specific connector, you can do so by using the following format, replacing <connector-name> with the name that you want to use for the connector. In this case, make sure to remember this name, as you will need to specify it later on in the setup process.
      • ^googleconnector://<connector-name>.localhost
  2. For document caching to work with the GSA, SharePoint needs to be configured to use fully qualified domain names. Instructions for doing this are here.
  3. Now you need to install some software on the Windows system. Follow the GSARKS Install Guide to install GSARKS. Make sure to install the following component:
    • Google Services for SharePoint
  4. Configure the connector for SharePoint. If you would like to use an external Connector Manager, you will need to install the external Connector Manager on a server and register it with the GSA. For help with this, consult the documentation here.
    1. In the Admin Console, go to Connector Administration > Connectors, select ConnectorManager0 from the Connector Manager drop-down, and click Add New Connector. If you are using an external Connector Manager, select that Connector Manager instead.
    2. Type in a Connector Name, remember it for later, and choose the sharepoint-connector, and click Get Configuration Form.
    3. Fill out the Connector Configuration form and click Save Configuration. Make sure to use Authorization by connector for Authorization Handling. For other options, consult the documentation here.
      1. If you would like to use early binding, select Authorization by ACL and configure the LDAP settings below the checkbox as required for your AD server.
    4. The connector will need to start traversing the SharePoint farm and submitting feeds to the GSA before you can search for SharePoint content from the GSA. This should start shortly, and the appropriate feeds will show up in the Crawl and Index > Feeds page.
  5. [Optional] If you would like to limit searches to just SharePoint content, you can create a collection for the SharePoint content.
    1. Log in to the Admin Console at http://<gsa-host>:8000/
    2. Go to Crawl and Index > Collections. Enter a Collection Name, choose an Empty Initial Configuration, and click Create Collection.
    3. Click Edit for the collection that was just created.
    4. Enter the following as the only line in Include Content Matching the Following Patterns, replacing <connector-name> with the name of your connector:
      • ^googleconnector://<connector-name>.localhost
    5. Click Save Collection Definition.
  6. Next, you need to configure connector authentication so that the GSA can authenticate users.
    1. Log in to the Admin Console at http://<gsa-host>:8000/
    2. Go to Serving > Universal Login Auth Mechanisms and click on the Connectors tab.
    3. Enter the following and click Save:
      1. Credential Group: Default
      2. Mechanism Name: <whatever you want>
      3. Connector Name: <the connector that you have set up >
      4. Perform group lookup only: unchecked
      5. Trust Duration: 1200
  7. Performing a Test Search
    1. Go to the GSA’s search page, usually available at http://<gsa>/search?site=<collection>&client=<frontend>&output=xml_no_dtd&proxystylesheet=<frontend> . Make sure to replace <gsa>, <collection>, and <frontend> with the appropriate values for your setup.
    2. Perform a search for a term in a SharePoint document that has been indexed.
    3. Enter your SharePoint login credentials on the Universal Login Form.
    4. You should see secure results appear.

Using Google Services for SharePoint and SAML Bridge to Index and Search SharePoint Content

In this scenario, you will set up the GSA to index SharePoint content, and let users search for that content from the GSA.

Background

The connector for SharePoint is used to traverse the content. Google Services for SharePoint is used to gather ACLs from SharePoint. SAML Bridge is used to authenticate a user when a search is performed. Once authentication has been performed, authorization can be performed using either early or late binding. We recommend early binding, due to the benefits described here.

Installation and Configuration

Google Services for SharePoint and SAML Bridge must be installed. You will do this now.

NOTE: Some of the linked instructions are to previous software versions. Some options might have changed between that version and the versions tested for this scenario.

  1. Allow the GSA to index the content the connector sends.
    1. In the Admin Console, go to Crawl and Index > Crawl URLs and make sure the following string exists in the Follow and Crawl Only URLs with the Following Patterns.
      • ^googleconnector://
    2. Note: If you want to limit the follow pattern to just a specific connector, you can do so by using the following format, replacing <connector-name> with the name that you want to use for the connector. In this case, make sure to remember this name, as you will need to specify it later on in the setup process.
      • ^googleconnector://<connector-name>.localhost
  2. In order for document caching to work with the GSA, SharePoint needs to be configured to use fully qualified domain names. Instructions for doing this are here.
  3. Now you need to install some software on the Windows system. Follow the GSARKS Install Guide to install GSARKS. Make sure to install the following component:
    • Google Services for SharePoint
    • SAML Bridge
  4. Configure the connector for SharePoint. If you would like to use an external Connector Manager, you will need to install the external Connector Manager on a server and register it with the GSA. For help with this, consult the documentation here.
    1. In the Admin Console, go to Connector Administration > Connectors, select ConnectorManager0 from the Connector Manager drop-down, and click Add New Connector. If you are using an external Connector Manager, select that Connector Manager instead.
    2. Type in a Connector Name, remember it for later, and choose the sharepoint-connector, and click Get Configuration Form.
    3. Fill out the Connector Configuration form and click Save Configuration. Make sure to use Authorization by connector for Authorization Handling. For other options, consult the documentation here.
      1. If you would like to use early binding, select Authorization by ACL and configure the LDAP settings below the checkbox as required for your AD server.
    4. The connector will need to start traversing the SharePoint farm and submitting feeds to the GSA before you can search for SharePoint content from the GSA. This should start shortly, and the appropriate feeds will show up in the Crawl and Index > Feeds page.
  5. [Optional] If you would like to limit searches to just SharePoint content, you can create a collection for the SharePoint content.
    1. Log in to the Admin Console at http://<gsa-host>:8000/
    2. Go to Crawl and Index > Collections. Enter a Collection Name, choose an Empty Initial Configuration, and click Create Collection.
    3. Click Edit for the collection that was just created.
    4. Enter the following as the only line in Include Content Matching the Following Patterns, replacing <connector-name> with the name of your connector:
      • ^googleconnector://<connector-name>.localhost
    5. Click Save Collection Definition.
  6. Next, you need to configure the SAML Bridge so that the GSA can authenticate users.
    1. Perform some initial configuration steps:
      1. Verifying the .NET Framework Version
      2. Verifying the Configuration of the SAML Bridge Application Pool
      3. Configuring Authentication Requirements for the Login.aspx File
      4. Granting Permissions for the SAML Bridge Log File
    2. Configure the GSA to use the SAML Bridge
      1. Configuring the Search Appliance to Use the SAML Bridge
      2. Configuring the SAML Bridge to Communicate with the Google Search Appliance
      3. Checking Time Synchronization
      4. Ensuring Connectivity Between the Google Search Appliance and SAML Bridge
  7. Performing a Test Search
    1. Go to the GSA’s search page, usually available at http://<gsa>/search?site=<collection>&client=<frontend>&output=xml_no_dtd&proxystylesheet=<frontend>. Make sure to replace <gsa>, <collection>, and <frontend> with the appropriate values for your setup.
    2. Perform a search for a term in a SharePoint document that has been indexed.
    3. Enter your SharePoint login credentials on the Universal Login Form.
    4. You should see secure results appear.

Using Google Search Box for SharePoint with NTLM

In this scenario, the GSA is set up to index SharePoint content, and users can search for that content from SharePoint.

Background

When a user performs a search using GSBS, that query is sent to the GSA, where the search is performed. The GSA can search against any collection and frontend, and so it is beneficial to have a collection, and possibly a frontend, configured in the GSA specifically for SharePoint content. By configuring a collection that only contains SharePoint content, you can ensure that only SharePoint content exists in the results when performing a search using the GSBS.

The SharePoint content needs to be authorized for the user before it is returned by the GSA. In this scenario, NTLM credentials are used to authenticate the user via the SAML Bridge. Once authentication has been performed, authorization can be performed using either early or late binding. We recommend early binding, due to the benefits described here.

Installation and Configuration

For GSBS to work properly, Google Services for SharePoint, SAML Bridge, and GSBS must be installed. You will do this now.

NOTE: Some of the linked instructions are to previous software versions. Some options might have changed between that version and the versions tested for this scenario.

  1. Create a collection for the SharePoint content. This collection is used later, but needs to be created at this point.
    1. Log in to the Admin Console at http://<gsa-host>:8000/
    2. Go to Crawl and Index > Collections. Enter a Collection Name, choose an Empty Initial Configuration, and click Create Collection. Make a note of the collection name, as it is required later.
  2. Allow the GSA to index the content the connector sends.
    1. In the Admin Console, go to Crawl and Index > Crawl URLs and make sure the following string exists in the Follow and Crawl Only URLs with the Following Patterns.
      • ^googleconnector://
    2. Note: If you want to limit the follow pattern to just a specific connector, you can do so by using the following format, replacing <connector-name> with the name that you want to use for the connector. In this case, make sure to remember this name, as you will need to specify it later on in the setup process.
      • ^googleconnector://<connector-name>.localhost
  3. In order for document caching to work with the GSA, SharePoint needs to be configured to use fully qualified domain names. Instructions for doing this are here.
  4. Now you need to install some software on the Windows system. Follow the GSARKS Install Guide to install GSARKS. Make sure to install the following component:
    • Google Services for SharePoint
    • SAML Bridge
    • Google Search Box for SharePoint
  5. Configure the connector for SharePoint. If you would like to use an external Connector Manager, you will need to install the external Connector Manager on a server and register it with the GSA. For help with this, consult the documentation here.
    1. In the Admin Console, go to Connector Administration > Connectors, select ConnectorManager0 from the Connector Manager drop-down, and click Add New Connector. If you are using an external Connector Manager, select that Connector Manager instead.
    2. Type in a Connector Name, remember it for later, and choose the sharepoint-connector, and click Get Configuration Form.
    3. Fill out the Connector Configuration form and click Save Configuration. Make sure to use Authorization by connector for Authorization Handling. For other options, consult the documentation here.
      1. If you would like to use early binding, select Authorization by ACL and configure the LDAP settings below the checkbox as required for your AD server.
    4. The connector will need to start traversing the SharePoint farm and submitting feeds to the GSA before you can search for SharePoint content from the GSA. This should start shortly, and the appropriate feeds will show up in the Crawl and Index > Feeds page.
  6. Now that you know the connector name, configure the collection that was created in step 1.
    1. Go to Crawl and Index > Collections and click Edit for the collection that was created in step 1.
    2. Enter the following as the only line in Include Content Matching the Following Patterns, replacing <connector-name> with the name of your connector:
      • ^googleconnector://<connector-name>.localhost
    3. Click Save Collection Definition.
  7. Next, you need to configure the SAML Bridge so that the GSA can authenticate users.
    1. Perform some initial configuration steps:
      1. Verifying the .NET Framework Version
      2. Verifying the Configuration of the SAML Bridge Application Pool
      3. Configuring Authentication Requirements for the Login.aspx File
      4. Granting Permissions for the SAML Bridge Log File
    2. Configure the GSA to use the SAML Bridge
      1. Configuring the Search Appliance to Use the SAML Bridge
      2. Configuring the SAML Bridge to Communicate with the Google Search Appliance
      3. Checking Time Synchronization
      4. Ensuring Connectivity Between the Google Search Appliance and SAML Bridge
  8. If you would like to use early binding, you now need to setup group lookup with the Connector. Skip these steps if you are using late binding.
    1. Go to Serving > Universal Login Auth Mechanisms and click on the Connector tab.
    2. Enter a Mechanism Name and select the Connector Name that was previously set up.
    3. Check the box labeled Perform group lookup only and click Save.
  9. Performing a Test Search
    1. Go to the GSA’s search page, usually available at http://<gsa>/search?site=<collection>&client=<frontend>&output=xml_no_dtd&proxystylesheet=<frontend>. Make sure to replace <gsa>, <collection>, and <frontend> with the appropriate values for your setup.
    2. Perform a search for a term in a SharePoint document that has been indexed.
    3. Enter your SharePoint login credentials on the Universal Login Form.
    4. You should see secure results appear.
  10. Perform a search from SharePoint
    1. All GSBS configuration should have been done at installation time. Now you will try a test search from the Search Box.
    2. Log into your SharePoint website.
    3. Confirm that the search box has a “Google search” background. This verifies that the GSBS is being used.
    4. Perform a search for a document that is on the SharePoint site. A common query to use is ‘welcome’.
    5. Verify that results are returned. If an error message is returned, look for it in the Troubleshooting section, and if it is not there, open a ticket with Google Cloud Support.

Confirming the Setup by Checking Log Files

When performing a secure search, the basic flow is

  1. User searches for something
  2. GSA authenticates the user
  3. GSA performs the search
  4. GSA authorizes the search results for the user
  5. User gets search results

Using logs available through the Admin Console, you can verify whether the user is authenticating correctly (2) and which documents are authorized for that user (4). User authentication and group lookup are done in the authentication step, and document verification is done in the authorization step. Note that the verified user id and group information is present in multiple log files.

Information specific to your setup, like usernames, groups, and domains (but notably not session IDs), are all shown in the example logs below in < >brackets.

Obtaining Log Files

  • If you are using the internal connector manager, then obtain the connector logs by going to Connector Administration > Connector Managers and click on the Logs link.
  • If you are using the external connector manager, then obtain the connector logs from your external connector manager host in %INSTALL_DIR/Tomcat/logs/.
  • To obtain the authentication logs, click on the SecMgr Logs button on the Serving > Universal Login page.
  • To obtain the authorization logs, click on the Authorization Log button on the Serving > Access Control page.

Authentication

Connector


Jun 20, 2012 1:12:10 PM [] com.google.enterprise.connector.servlet.ConnectorManagerServlet doPost
INFO: HEADER user-agent: SecMgr
Jun 20, 2012 1:12:10 PM [] com.google.enterprise.connector.servlet.ConnectorManagerServlet doPost
INFO: HEADER content-type: text/xml; charset=UTF-8
Jun 20, 2012 1:12:10 PM [] com.google.enterprise.connector.servlet.ConnectorManagerServlet doPost
INFO: HEADER host: ent1:7886
Jun 20, 2012 1:12:10 PM [] com.google.enterprise.connector.servlet.ConnectorManagerServlet doPost
INFO: HEADER content-length: 176
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthenticationManager authenticate
INFO: Received authN request for Username [ <username> ], domain [ null ]. 
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthenticationManager authenticate
INFO: Received authN request for Username [ <username> ], domain [ null ]. 
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthenticationManager authenticate
INFO: Authenticating User: <domain>\<username>
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.wsclient.GSBulkAuthorizationWS checkConnectivity
INFO: GS Connectivity status: success
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthenticationManager authenticate
INFO: Authentication succeeded for the user : <username> with identity : <domain>\<username>
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthenticationManager getAllGroupsForTheUser
INFO: Attempting group resolution for user : <username>
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService getAllGroupsForSearchUser
INFO: The LDAP cache is not yet initialized and hence querying LDAP and User Data Store directly.
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService getAllLdapGroups
INFO: Quering LDAP directory server to fetch all direct groups for the search user: <username>
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection <init>
INFO: LdapConnectionSettings [authType=Simple, baseDN=<basedn>, connectMethod=Standard, hostname=<hostname>, password=####, port=389, serverType=ACTIVE_DIRECTORY, userName=<username>, domainName =<domain> ]
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection configureLdapEnvironment
INFO: Using simple authentication.
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection makeLdapUrl
INFO: Complete LDAP URL : ldap://<hostname>:389
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection createContext
INFO: Sucessfully created an Initial LDAP context
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection configureLdapEnvironment
INFO: Using simple authentication.
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection makeLdapUrl
INFO: Complete LDAP URL : ldap://<hostname>:389
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService$LdapConnection createContext
INFO: Sucessfully created an Initial LDAP context
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService getDirectGroupsForTheSearchUser
INFO: [ <username> ] is a direct member of 1 groups : [<ldapgroup>]
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService getAllParentGroups
INFO: Parent groups for the group [<ldapgroup>] : []
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService getAllLdapGroups
INFO: [ <username> ] is a direct or indirect member of 1 groups
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.ldap.UserGroupsService getAllADGroupsAndSPGroupsForSearchUser
INFO: Quering User data store with the AD groups :[<domain>\<group>] and search user [<username>]
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.dao.UserDataStoreDAO getAllMembershipsForSearchUserAndLdapGroups
INFO: 0 Memberships identified for LDAP directory groups in User Data Store.
Jun 20, 2012 1:12:10 PM [AuthN <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthenticationManager getAllGroupsForTheUser
INFO: Group resolution service returned following groups for the search user: <username> 
[<domain>\<group>]

120620 13:12:03.998:I 32 [.authncontroller.AuthnSession.<init>] sid fe56deea396f98d36f146872cafc0c3b: created new session.
120620 13:12:03.998:I 32 [.authncontroller.AuthnSession.logIncomingRequest] sid fe56deea396f98d36f146872cafc0c3b: Incoming GET URL: https://<gsa>/security-manager/samlauthn
120620 13:12:04.000:I 32 [.authncontroller.AuthnSession.setStateInternal] sid fe56deea396f98d36f146872cafc0c3b: State transition from IDLE to AUTHENTICATING
120620 13:12:04.000:I 32 [.authncontroller.AuthnController.authenticate] sid fe56deea396f98d36f146872cafc0c3b: Entering authentication controller in state AUTHENTICATING
120620 13:12:04.001:I 32 [.authncontroller.AuthnSession.updateIncomingCookies] sid fe56deea396f98d36f146872cafc0c3b: Incoming cookies from user agent: GSA_SESSION_ID=fe56deea396f98d36f146872cafc0c3b
120620 13:12:04.001:I 32 [.authncontroller.AuthnController.getRunnableMechanisms] sid fe56deea396f98d36f146872cafc0c3b: Mechanism has runnability status NOT_READY: something
120620 13:12:04.001:I 32 [.authncontroller.AuthnSession.setStateInternal] sid fe56deea396f98d36f146872cafc0c3b: State transition from AUTHENTICATING to IN_CREDENTIALS_GATHERER
120620 13:12:04.001:I 32 [.authncontroller.AuthnSession.setStateInternal] sid fe56deea396f98d36f146872cafc0c3b: State transition from IN_CREDENTIALS_GATHERER to AUTHENTICATING
120620 13:12:04.002:I 32 [.authncontroller.AuthnSession.setStateInternal] sid fe56deea396f98d36f146872cafc0c3b: State transition from AUTHENTICATING to IN_UL_FORM
120620 13:12:04.002:I 32 [.authncontroller.AuthnController.renderUniversalLoginForm] sid fe56deea396f98d36f146872cafc0c3b: Rendering Universal Login Form.
120620 13:12:04.002:I 32 [.authncontroller.AuthnController.updateOutgoingCookies] sid fe56deea396f98d36f146872cafc0c3b: Outgoing cookies to user agent: (none)
120620 13:12:04.003:I 32 [.authncontroller.AuthnController.authenticate] sid fe56deea396f98d36f146872cafc0c3b: Leaving authentication controller in state IN_UL_FORM with result UNFINISHED
120620 13:12:10.709:I 31 [.authncontroller.AuthnSession.logIncomingRequest] sid fe56deea396f98d36f146872cafc0c3b: Incoming POST URL: https://<gsa>/security-manager/samlauthn
120620 13:12:10.710:I 31 [.authncontroller.AuthnController.authenticate] sid fe56deea396f98d36f146872cafc0c3b: Entering authentication controller in state IN_UL_FORM
120620 13:12:10.710:I 31 [.authncontroller.AuthnSession.updateIncomingCookies] sid fe56deea396f98d36f146872cafc0c3b: Incoming cookies from user agent: GSA_SESSION_ID=fe56deea396f98d36f146872cafc0c3b
120620 13:12:10.711:I 31 [.authncontroller.AuthnController.authenticateHandleInUlfState] sid fe56deea396f98d36f146872cafc0c3b: Processing Universal Login Form submission.
120620 13:12:10.711:I 31 [.ulf.UniversalLoginFormHtml.parsePostedForm] sid fe56deea396f98d36f146872cafc0c3b: Retrieved user/pass: "<username>" <non-plaintext password>
120620 13:12:10.712:I 31 [.authncontroller.AuthnSession.updateSessionState] sid fe56deea396f98d36f146872cafc0c3b: Modify session state:
  add to http://google.com/enterprise/gsa/security-manager/Default: {principal: "<username>"}
  add to http://google.com/enterprise/gsa/security-manager/Default: {password}

120620 13:12:10.712:I 31 [.authncontroller.AuthnSession.setStateInternal] sid fe56deea396f98d36f146872cafc0c3b: State transition from IN_UL_FORM to AUTHENTICATING
120620 13:12:10.712:I 31 [.authncontroller.AuthnController.getRunnableMechanisms] sid fe56deea396f98d36f146872cafc0c3b: Mechanism has runnability status READY: something
120620 13:12:10.766:I 31 [.authncontroller.AuthnController.invokeModule] sid fe56deea396f98d36f146872cafc0c3b: Credentials verified: something
120620 13:12:10.766:I 31 [.authncontroller.AuthnSession.updateSessionState] sid fe56deea396f98d36f146872cafc0c3b: Modify session state:
  add to http://google.com/enterprise/gsa/security-manager/something: {Verification: status=VERIFIED; expires at 2012-06-20T13:32:10.712-07:00; credentials {groups: "<domain>\\<group>"}, {password}, {principal: "<username>"}}

120620 13:12:10.766:I 31 [.authncontroller.AuthnController.maybeRetryGatheringCredentials] sid fe56deea396f98d36f146872cafc0c3b: Credentials verified.
120620 13:12:10.766:I 31 [.authncontroller.AuthnController.updateOutgoingCookies] sid fe56deea396f98d36f146872cafc0c3b: Outgoing cookies to user agent: (none)
120620 13:12:10.767:I 31 [.authncontroller.AuthnController.authenticate] sid fe56deea396f98d36f146872cafc0c3b: Leaving authentication controller in state AUTHENTICATING with result SUCCESSFUL
120620 13:12:10.773:X 31 [org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder.checkRelayState] Relay state exceeds 80 bytes, some application may not support this.
120620 13:12:10.773:I 31 [.authncontroller.AuthnSession.setStateInternal] sid fe56deea396f98d36f146872cafc0c3b: State transition from AUTHENTICATING to IDLE
120620 13:12:10.954:I 27 [.servlets.SamlArtifactResolve.doPost] Enter artifact resolver (22962053)
120620 13:12:10.956:I 27 [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule.evaluate] SAML protocol message was not signed, skipping XML signature processing
120620 13:12:10.958:I 27 [.servlets.SamlArtifactResolve.doPost] Artifact resolved (22962053): AAQAAKpjEcTTN1neW6WvudhsEx9kBcBco54gKWcgZx+wYx3ISh5CeFToUfU=
120620 13:12:10.968:I 27 [.servlets.SamlArtifactResolve.doPost] Exit artifact resolver (22962053)

Authorization

Note that the first line shows the username and groups that the user is in. In the example search, only one document was found, and so there is only one authorization check. Authorization options for each document are PERMIT, DENY, or INDETERMINATE. An INDETERMINATE means that the GSA could not determine whether the document was authorized for a user, and so it acts as a DENY.

ACL


120620 13:12:11.220:I 1548 [com.google.enterprise.sessionmanager.SessionManager.adminRecord] [GSA_ADMIN_LOG]  session id: fe56deea396f98d36f146872cafc0c3b verifiedUserId: <username> groups: [<DOMAIN>\<group>]
120620 13:12:11.223:I 1548 [com.google.enterprise.sessionmanager.SessionManager.adminRecord] [GSA_ADMIN_LOG] This batch of requests completed.  Elapsed time(after cache/ACL check): 0 ms session id: fe56deea396f98d36f146872cafc0c3b
120620 13:12:11.223:I 1548 [com.google.enterprise.authzchecker.AuthzRequestProcessor.logResults] [[GSA_ADMIN_LOG] Authorization results for session: fe56deea396f98d36f146872cafc0c3b decision [1/1] PERMIT by POLICY for URL <url>

Connector


Jun 20, 2012 2:19:27 PM [AuthZ <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthorizationManager authorizeDocids
INFO: Received authZ request for 1 docs. Username [ <username> ], domain [  ].
Jun 20, 2012 2:19:27 PM [AuthZ <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthorizationManager authorizeDocids
INFO: Authorizing User silo1\esomin2
Jun 20, 2012 2:19:27 PM [AuthZ <username> <connectorname>] com.google.enterprise.connector.sharepoint.spiimpl.SharepointAuthorizationManager authorizeDocids
INFO: This batch of request completed in 0.181 seconds. Total docs received was #1. Total authorized #1

120620 14:19:27.246:I 1548 [com.google.enterprise.sessionmanager.SessionManager.adminRecord] [GSA_ADMIN_LOG]  session id: 373c07dd0127db0ec5e0e598e93436b4 verifiedUserId: <username> groups: [<DOMAIN>\<group>]
120620 14:19:27.741:I 1548 [com.google.enterprise.sessionmanager.SessionManager.adminRecord] [GSA_ADMIN_LOG] This batch of requests completed.  Elapsed time(after cache/ACL check): 491 ms session id: 373c07dd0127db0ec5e0e598e93436b4
120620 14:19:27.743:I 1548 [com.google.enterprise.authzchecker.AuthzRequestProcessor.logResults] [[GSA_ADMIN_LOG] Authorization results for session: 373c07dd0127db0ec5e0e598e93436b4 decision [1/1] PERMIT by CONNECTOR for URL <url> (added to cache)

Troubleshooting

The remote server returned an error: 401 Unauthorized

You may see this message if:

  • Your SharePoint site is using HTTP Basic and not Kerberos/NTLM authentication.
  • If SAML Bridge and Search Box are on the same host, you may need to disable loopback check functionality. See Microsoft's support site for details.
  • You haven't configured your browser to use NTLM/Kerberos. Refer to this document for setting up your borwser for NTLM/Kerberos

The remote server returned an error: (417) Expectation Failed

This error message is generally returned because an SSL message was expected but not received (likely an HTTP packet is being sent instead of an HTTPS packet). There are two solutions to this:

  • If you do not require HTTPS, then you can turn off HTTPS everywhere.
    1. In the Admin Console, go to Administration > SSL Settings.
    2. Select No under Force secure connections when serving?
    3. Click Save Setup.
  • If you do require HTTPS, then you should make sure to always use HTTPS. You may need to install an SSL certificate as well.
    1. In the Admin Console, go to Administration > SSL Settings.
    2. Select Use HTTPS when serving both public and secure results under Force secure connections when serving?
    3. Click Save Setup.
    4. Ensure that your SAML Bridge URLs are for https, not http. See the SAML Bridge documentation.

The remote server returned an error: (500) Internal Server Error

You may see this message in relation to the Search Box if:

  • Your GSA is not set up properly. Make sure that you are able to get secure search results from the GSA directly.
  • Check the configuration parameters for the Search Box on the SharePoint site using the Search Box Configuration Wizard
  • If you are using the GSA's frontend, make sure that the frontend name mentioned in the Search Box configuration is correct.
  • Windows Integrated Authentication may not be set up. Follow the steps required to configure the SAML Bridge, and try to perform another search.

The remote server returned an error: (502) Bad Gateway

Also check that the Search Box log shows the following message: The cookie contains only key 'secure' without any value.

To avoid getting this error for a secure search, configure the Search Box to omit the secure cookie. To do this, follow these instructions:


<add key="omitSecureCookie" value="false">
</add>
  1. Open the web.config file for the SharePoint web application (web.config file is in the path C:\inetpub\wwwroot\wss\VirtualDirectories\<PORT>, where <PORT>is the port number for the SharePoint web application)
  2. Modify the value for the "omitSecureCookie" key in the following line from false to true
  3. Restart IIS.

I am getting the error 'No local SharePoint web applications found in this machine' while installing the Search Box

In a SharePoint farm deployment, it is possible that the WFE (Web Front-end) is configured NOT to host any web-application. In this case, no web application is installed on the host. The GSARKS installer looks for whether the web-application is deployed locally. If not, it presents this error. You can check whether this is the case by browsing the SharePoint URLs and looking at the host name shown in the URL. The installer should definitely work if the web applications are hosted locally. Note that Search Box must be deployed on all the WFEs in the farm that host the web-applications.

Was this helpful?
How can we improve it?