Enable queries from Microsoft SharePoint Server (FAST Search Server 2010 for SharePoint)

 

Applies to: FAST Search Server 2010

This article describes how to enable queries from Microsoft SharePoint Server 2010 on the FAST Search Server 2010 for SharePoint. You must configure claims authentication, which means that you export a certificate from SharePoint Server 2010 and import it on all query servers in FAST Search Server 2010 for SharePoint. If you want to help secure query traffic by enabling HTTPS (optional), you must perform some additional steps.

Before you enable queries as described in this article, follow the steps in Create and set up the Query Search Service Application (FAST Search Server 2010 for SharePoint).

In this article:

  • Configure claims authentication

  • Enable HTTPS (optional)

Configure claims authentication

This section describes how to transfer a Microsoft SharePoint Server 2010 STS certificate (MOSS_STS) from SharePoint Server 2010 to all FAST Search Server 2010 for SharePoint query servers to provide security trimmed queries.

Security trimming, or item level security, limits user access to items in search results that the user who submitted the query is authorized to see.

On SharePoint Server 2010, export the SharePoint STS certificate:

  1. On the Start menu, click All Programs.

  2. Click Microsoft SharePoint 2010 Products.

  3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

  4. At the Windows PowerShell command prompt, type the following command(s):

    $stsCert = (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
    $stsCert.Export("cert") | Set-Content  -encoding byte MOSS_STS.cer
    

    The file MOSS_STS.cer is created in the directory from which you run the commands.

  5. Copy MOSS_STS.cer to a location that is available to the FAST Search Server 2010 for SharePoint query servers.

On each FAST Search Server 2010 for SharePoint query server, import the SharePoint STS certificate:

  1. On the Start menu, click All Programs.

  2. Click Microsoft FAST Search Server 2010 for SharePoint.

  3. Right click Microsoft FAST Search Server 2010 for SharePoint shell and select Run as administrator.

  4. At the Windows PowerShell command prompt, browse to <FASTSearchFolder>\installer\scripts\, where <FASTSearchFolder> is the path of the folder where you have installed FAST Search Server 2010 for SharePoint, for example C:\FASTSearch. Type the following command:

    .\InstallSTSCertificateForClaims.ps1 -certPath <"full path of MOSS STS certificate">
    

    Where:

    • <"full path of MOSS STS certificate"> is the path of the location where you copied the MOSS_STS.cer file.

After finishing these steps, you have completed the configuration of the FAST Search Server 2010 for SharePoint query server. Repeat for all query servers if you have more than one.

Enable HTTPS (optional)

If you want to help secure query traffic by using HTTPS, you must perform some additional optional steps. With FAST Search Server 2010 for SharePoint, you can choose between HTTP and HTTPS for query traffic. HTTP is used as a default.

  • HTTP: All query traffic from the SharePoint Server 2010 search application to FAST Search Server 2010 for SharePoint will be sent via HTTP requests. The information is not encrypted. However, this communication channel is faster than HTTPS. Use HTTP if your documents do not contain sensitive information, or if you want maximum query performance. This is the default method.

  • HTTPS: All query traffic from the SharePoint Server 2010 search application to FAST Search Server 2010 for SharePoint will be sent via secured requests. The information is encrypted so that no one can access sensitive information that is contained in the query traffic. Use HTTPS if your documents contain sensitive information.

Note

This configuration step is optional. Follow this procedure only if you decide to use HTTPS for queries between FAST Search Server 2010 for SharePoint and SharePoint Server 2010.

HTTPS for query traffic require server-specific SSL certificates. Each query server in FAST Search Server 2010 for SharePoint must have a certificate where one of the following must be true:

  • The certificate subject property is set to the FQDN of the query server.

  • The subject alternate name (SAN) property contains the FQDN of the query server.

We recommend that you use your company's existing public key infrastructure (PKI) to generate these SSL certificates.

On each query server in FAST Search Server 2010 for SharePoint, follow these steps:

  1. Import the server-specific SSL certificate into the certificate store. The certificate must be saved under Certificates(Local Computer)\Personal.

    Grant the FASTSearchAdministrators group full access to the certificate, by using winhttpcertcfg or the Microsoft Management Console (MMC) Certificates snap-in.

    To grant access by using the MMC snap-in:

    1. Click Start, type mmc in the Search programs and files box, and then press ENTER.

    2. Right-click the certificate, click All tasks, and then click Manage Private Keys.

    3. Click Add, add the FastSearchAdministrators group and select Full control.

  2. Configure the query server to use the certificate on base port + 286.

    1. On the Start menu, click All Programs.

    2. Click Microsoft FAST Search Server 2010 for SharePoint.

    3. Right click Microsoft FAST Search Server 2010 for SharePoint shell and select Run as administrator.

    4. At the Windows PowerShell command prompt, type the following command(s):

      netsh http add sslcert ipport=0.0.0.0:<baseport+286> appid={a5455c78-6489-4e13-b395-47fbdee0e7e6} certhash=<Cert_Thumbprint>
      

      Where:

      • <baseport+286> is the actual port number. Example: If the base port is 13000, the actual port number will be 13286 (ipport=0.0.0.0:13286).

      • <Cert_Thumbprint> is the thumbprint of the certificate.

On the SharePoint Server 2010 server, follow these steps:

  1. Enable a trust relationship in SharePoint Server 2010 for the SSL certificate(s) that you created for each query server. Do this by importing the public certificate of the signing authority of the SSL Certificate(s) into SharePoint Server 2010:

    1. On the Start menu, click All Programs.

    2. Click Microsoft SharePoint 2010 Products.

    3. Right-click SharePoint 2010 Management Shell, and select Run as administrator.

    4. At the Windows PowerShell command prompt, type the following command(s):

      $trustCert = Get-PfxCertificate '<SSL_CA_Public_Cert>.cer'
      New-SPTrustedRootAuthority "FASTSearchHostQuerySSLCert" -Certificate $trustCert
      

      Where:

      • <SSL_CA_Public_Cert> is the name of the certificate from the signing authority of the SSL certificate(s).

      You will typically export this certificate from the Trusted Root Store on the query server.

  2. Change the Query Service Location configuration setting for the Query Search Service Application (SSA) to use the HTTPS endpoint. See Create and set up the Query Search Service Application (FAST Search Server 2010 for SharePoint) for detailed information.

Next step

When you have configured the claims authentication, and, optionally, enabled HTTPS, follow the steps in Create a FAST Search Center site (FAST Search Server 2010 for SharePoint).

See Also

Concepts

Deployment for FAST Search Server 2010 for SharePoint
FAST Search Authorization (FSA) overview
Manage certificates (FAST Search Server 2010 for SharePoint)

Other Resources

Add the Certificates Snap-in to an MMC