Windows authentication and trust delegation
| This feature is not available in the Squiz DXP. |
In order for document level security to work, it is necessary for the search server to pass the user credentials that it has obtained onto the server from which the documents are retrieved from (a fileshare, a TRIM server, etc.) in order to check against the relevant security information. Windows explicitly disallows this when using Integrated Windows Authentication, unless the search server has been allowed to delegate credentials.
Please note that only Kerberos and Basic authentication permit delegation. NTLM doesn’t permit credential delegation. If using Basic HTTP Authentication it is highly recommended that the search interface also be set up to use SSL encryption because without this, passwords will be sent across the network in the clear.
Delegation to allow the search server to delegate user credentials to the file servers is set up in the active directory management console on the domain controller.
Important notes
URL used by the client
For trust delegation to work properly from the client side, the Funnelback server must be accessed:
-
Using its short name, such as
http://server/s/search?collection=... -
Or if using its Fully Qualified Domain Name (
http://server.company.com/s/search?collection=...) the Funnelback server must have been included in the "Local Intranet" zone in Internet Explorer
It’s also worth noting that other web browsers will require specific settings to allow trust delegation to function.