Windows authentication and trust delegation

This feature is not available in the Squiz DXP.

In order for document level security to work, it is necessary for the search server to pass the user credentials that it has obtained onto the server from which the documents are retrieved from (a fileshare, a TRIM server, etc.) in order to check against the relevant security information. Windows explicitly disallows this when using Integrated Windows Authentication, unless the search server has been allowed to delegate credentials.

Please note that only Kerberos and Basic authentication permit delegation. NTLM doesn’t permit credential delegation. If using Basic HTTP Authentication it is highly recommended that the search interface also be set up to use SSL encryption because without this, passwords will be sent across the network in the clear.

Delegation to allow the search server to delegate user credentials to the file servers is set up in the active directory management console on the domain controller.

Important notes

URL used by the client

For trust delegation to work properly from the client side, the Funnelback server must be accessed:

It’s also worth noting that other web browsers will require specific settings to allow trust delegation to function.

Missing authentication

If you do not set up an authentication mechanism for the search interface, there will be no real document level security. In actual fact it will act as if the logged in user is the windows LOCAL SERVICE account.