Prepare FAST Search Authorization for use with the FAST Search Lotus Notes connector

 

Applies to: FAST Search Server 2010

The user directory connector pushes Lotus Notes security information (user, group and group membership) into a FAST Search Authorization (FSA) Lotus Notes user store, essentially creating a copy/cache of the Lotus Domino user directory to be used by FAST Search Server 2010 for SharePoint.

The purpose of this is that, when an Active Directory user performs a search in FAST Search Server 2010 for SharePoint, the system can expand the user to all its Domino groups (and certifiers). This additional search filter makes sure that the search results only contain Lotus Notes documents that the user has permission to read.

Create a Lotus Notes user store, enable the CCTK server and create an XMLAliaser

Before you run the user directory connector, you have to prepare FAST Search Authorization by creating a Lotus Notes user store, enabling the CCTK server and creating an XMLAliaser. This is done through Windows PowerShell cmdlets.

  1. Verify that you meet the following minimum requirements: You are a member of the FASTSearchAdministrators local group on the computer where FAST Search Server 2010 for SharePoint is installed.

  2. On the Start menu, click All Programs.

  3. Click Microsoft FAST Search Server 2010 for SharePoint.

  4. Click the Microsoft FAST Search Server 2010 for SharePoint shell.

  5. At the Microsoft FAST Search Server 2010 for SharePoint shell command prompt, type the following commands to create the new Lotus Notes user store:

    New-FASTSearchSecurityLotusNotesUserStore -id lnx

    Verify if the command returns without errors. If there are any errors, the command will return red text. If the command is successful, you will see a number of parameters appear.

    Set-FASTSearchSecurityCCTKServer -Enable 1

    Verify if the command returns without errors. If there are any errors, the command will return red text. If the command is successful, you see the port number and an acknowledgement that the CCTK server is enabled. Note this port number as you will need it during the configuration.

  6. Type the following command to create the XMLAliaser:

    New-FASTSearchSecurityXMLAliaser -id win2lnx -InputUserStoreId win -OutputUserStoreIds lnx -InputPropertyName '$PRINCIPAL_REFERENCE_ALIAS'

    Verify if the command returns without errors. If there are any errors, the command will return red text. If the command is successful, you see several parameters appear.

Configure aliasing

To be able to search Lotus Notes content through the SharePoint front-end, you have to map the Active Directory users to the Domino users. This process is known as aliasing. You do this by using the SSOMapping feature of the user directory connector together with the XMLAliasing feature of FAST Search Authorization (FSA).

You turn on the feature in the user directory connector by setting the parameter SSOMapping/UseSSOMapping to true. You may also have to configure the parameter SSOMapping/ADUserNameField to refer to the correct field in the user document in Domino that holds the Active Directory user name.

Parameter group Parameter Description

SSOMapping

UseSSOMapping

Turn the generation of the SSO Mapping XML file on (true) or off (false).

This parameter should be set to true if you have populated the Domino user documents with the corresponding Active Directory users in the format DOMAIN\user_name.

SSOMapping

ADUserNameField

If you have populated the Domino user documents with the Active Directory user names as the bottom value in the User name field, this parameter should have the value FullName(-1). This tells the connector that the last value in the multi-value field FullName (the internal API name for the User name field) contains the Active Directory user name.

After turning this feature on, you can run the FAST Search Lotus Notes user directory connector. Verify that the file specified in the parameter SSOMapping/XMLOutputFileName is created in the folder that is specified in the parameter FSAOutput/OutputDirectory and that it contains the correct mappings. It should contain mappings from the Active Directory user to the Domino distinguished name.

Upload the SSO mapping file to the XMLAliaser

After you have run the user directory connector (and generated a new ssomapping.xml file), upload this file to the XMLAliaser.

  1. Verify that you meet the following minimum requirements: You are a member of the FASTSearchAdministrators local group on the computer where FAST Search Server 2010 for SharePoint is installed.

  2. On the Start menu, click All Programs.

  3. Click Microsoft FAST Search Server 2010 for SharePoint.

  4. Click the Microsoft FAST Search Server 2010 for SharePoint shell.

  5. At the Microsoft FAST Search Server 2010 for SharePoint shell command prompt, type the following command to upload the ssomapping.xml file to the XMLAliaser:

    Set-FASTSearchSecurityXMLAliaser -id win2lnx -PathToXMLFile 'C:\FASTSearch\var\lotusnotesconnector\security\ssomapping.xml’

    Warning

    The path in this command is different if you have not installed FAST Search Server 2010 for SharePoint in the default directory C:\FASTSearch.

    Verify if the command returns without errors. If there are any errors, the command will return red text. If the command is successful, you see several parameters appear.

To verify that the import went well, enter the following command:

  1. Verify that you meet the following minimum requirements: You are a member of the FASTSearchAdministrators local group on the computer where FAST Search Server 2010 for SharePoint is installed.

  2. On the Start menu, click All Programs.

  3. Click Microsoft FAST Search Server 2010 for SharePoint.

  4. Click the Microsoft FAST Search Server 2010 for SharePoint shell.

  5. At the Microsoft FAST Search Server 2010 for SharePoint shell command prompt, type the following command:

    Get-FASTSearchSecurityXMLAliaser -id win2lnx

Verify that the parameter XmlFileName was assigned a randomly generated XML file name:

-
PathToXMLFile :

-
XmlFileName : win2lnx_c3289e98-d0d1-4e84-8f83-97767eaf74df.xml

-
InputPropertyName : $PRINCIPAL_REFERENCE_ALIAS

-
Identity : win2lnx

-
InputUserStoreId : win

-
OutputUserStoreIds : {lnx}

You should now be ready to search through the front-end and get results from Domino. These results should reflect the expected output according to the permissions of the Domino user mapped to the Active Directory user who searches.

Troubleshooting

Unable to upload the SSO mapping file to the XMLAliaser

Issue: The command Set-FASTSearchSecurityXMLAliaser returns a stack trace that contains the message Caused By: An item with the same key has already been added.

Cause: You have mapped more than one Domino user to the same Active Directory user, or the other way around.

Resolution:

  1. Inspect the file that you referred to in the FAST Search Lotus Notes user directory connector configuration file parameter SSOMapping/XMLOutputFileName and find the duplicate entry/entries.

    For example:

    <user name="AD\user1">
    <domain prefix="lnx" username="cn=<Domino User 1>/ou=department/o=company"/>
    </user>
    <user name="AD\user1">
    <domain prefix="lnx" username="cn=<Domino User 2>/ou=department/o=company"/>
    </user>
    
  2. Open Domino Administrator and edit the user document for one of the users who were discussed earlier (<Domino User 1> or <Domino User 2>) and remove the mapping for that user.

  3. Save the user document and rerun the FAST Search Lotus Notes user directory connector to reproduce the ssomapping.xml file.

  4. Rerun the command Set-FASTSearchSecurityXMLAliaser, see Upload the SSO mapping file to the XMLAliaser, and verify that the stack trace error message has disappeared.

  5. Run a query and check whether it returns the expected results.

A query does not return the expected security trimmed results

Issue: Running a query does not return the expected security trimmed search results from Lotus Notes. Only anonymous Lotus Notes content is being returned.

Cause: The format of the Active Directory user in the security claim may be different from the Active Directory user format in the Domino user document.

Resolution: Set the FAST Search Authorization (FSA) security log level to “info” to check whether the security claim format for the Active Directory user in the FSA authorization worker log file corresponds to the Active Directory user format in the Domino user document. If the format is different, edit the Domino user document.

  1. Set the log level to info. Open a Microsoft FAST Search Server 2010 for SharePoint command prompt as an administrator and run the following command:

    Set-FASTSearchSecurityLogLevel -DefaultLogLevel Info
    
  2. Rerun the search.

  3. Go to <FASTSearchFolder>\var\log\syslog,

    where <FASTSearchFolder> is the path of the folder where you have installed FAST Search Server 2010 for SharePoint, for example C:\FASTSearch.

  4. Open the log file authorization-worker_<computer>.txt, where <computer> is the computer name of the query processing node. If there are multiple query processing nodes in the system, the information can be in any log file for any of the query processing nodes, depending on which query processing node serviced the request.

  5. Search for the system message from Claims.dll:GetClaimsPrincipal.

  6. Check if the format of the Active Directory user is the same as the format in the bottom value of the User name field in the Domino user document.

  7. If the format is different, correct the format in the Domino user document to match the format in the security claim.

    1. Open Domino Administrator and edit the Domino user document. Specify the Active Directory user name in the correct format in the bottom value of the multi-value User name field. Save the changes.

    2. Rerun the FAST Search Lotus Notes user directory connector to reproduce the ssomapping.xml file.

  8. Rerun the command Set-FASTSearchSecurityXMLAliaser. See Upload the SSO mapping file to the XMLAliaser.

  9. Run a query and check whether it returns the expected results.

See Also

Concepts

Configure the FAST Search Lotus Notes connector
Crawling Lotus Notes content with the FAST Search Lotus Notes connector
Start a crawl (FAST Search Lotus Notes user directory connector)
lotusnotessecuritytemplate.xml reference