Hello,

I use a extended SharePoint 2013 site with a custom claim provider. On the extended site (only one Trusted Identity Provider enabled) authorization is working, but the search isn't.

On the default site the search is ok. (use NTLM auth).

Here is the detailed (VerboseEx) log for a request: https://skydrive.live.com/redir?resid=231AA6F3B3B27673!912&authkey=!AEdmWmdiZz8H9os

Thanks,

Istvan

Have you given the saml users permissions to read the documents being crawled?

are you crawling on a non-default zone?

you need to crawl a default ntlm zone, please see some issue with the search result if you crawl a non-default zone: http://social.technet.microsoft.com/Forums/en-us/sharepointsearch/thread/ac6fef28-ea91-4cc0-8ecc-a88500d7ece4

Yes, the user have full read permission.

The first problem was solved. I dont understand exactly, but change the claim name(groupsid):

Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : DecodeClaimsAcl - input ClaimsType: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid ClaimsValue: Default Issuer:SharePoint OrigIssuer: ClaimProvider:UserPortalClaimProvider
Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : HandleSid - Claim Input: Default
Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : SSDL is invalid: Default Details: Value was invalid.  Parameter name: sddlForm

Now there is no error, but the search can't find anything.

But I find an another Unexpected error in the log:

Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : DecodeClaimsAcl - input ClaimsType: http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider ClaimsValue: trusted:demoSTS Issuer:SharePoint OrigIssuer: SecurityTokenService 60ad1d9c-22bc-90e5-7879-874344af7a08

Unexpected Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : IdentityClaim from STS differs from known type: wb100o20onswg4lsnf1hs4dpnnsw332foj2gsy2forzhk32umvsdu1loozuxizlmon1hg 60ad1d9c-22bc-90e5-7879-874344af7a08

Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : DecodeClaimsAcl - Adding: http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider Value: trusted:demoSTS Issuer:SecurityTokenService --> wb100o20onswg4lsnf1hs4dpnnsw332foj2gsy2forzhk32umvsdu1loozuxizlmon1hg 60ad1d9c-22bc-90e5-7879-874344af7a08

IStvan

• Edited by Erdélyi István Thursday, May 23, 2013 7:50 AM

I crawl the default zone only. (it is the same site, than the extended)

When I swith on the NTLM on the Extended(Extranet) zone, and log in with domain user, everything is OK. 

When switch off, and use Trusted Identity Provider, the logged on user get only some hit. It seems to be a permission problem. I add Site Owner permission to AllUser(stsname) but the same.

The important thing: we use/testing cross-site publishing across web applications.

Istvan

Yes, the user can read documents directly.

Hi,

Did you find the solution?