No search results for ADFS user

We have a SharePoint 2013 web application configured to use Windows/NTLM authentication and a Trusted Identity Provider (ADFS) on the same default zone. If I perform a search as a windows user, I see results. If I perform a search when logged in as an ADFS user, I see no results.

I've tried full crawls, and even reset the index and recrawled. I turned logging up to verbose and ran a few queries. I couldn't find anything relevant in the logs, especially about permissions or access. The crawl logs look good too, but obviously things are getting crawled because the windows user gets lots of results.

Someone suggested I extend my web app into 2 zones, the default zone for windows auth and another zone for adfs auth. I did try this but still get no search results when logged in via adfs.

I have noticed one message in ULS but i'm not sure if it is relevant: "IdentityClaim from STS differs from known type" The claim that adfs gives SharePoint is windowsaccountname (samAccountName in AD).

The windowsaccountname claim comes in the form of an id number e.g. 123456 and also prefixed with the domain e.g. domain\123456. The userid claim is in the form 0.t|adfs|123456.

Does anyone have any suggestions on how to further troubleshoot this?

August 18th, 2015 6:20pm

Hi Lance,

From your description, it seems that you have created the wrong claims mapping when creating the trust identity provider.

Per my knowledge, we need to create at least three claims mappings: EmailAddress, UPN and Role.

Please refer to the Checklist when creating the trust identity provider part in the link below:

http://blogs.technet.com/b/hansbaumann/archive/2014/09/11/checklist-when-configuring-adfs-with-sharepoint.aspx

So I recommend to re-configure the trust identity provider for ADFS and then check if the results can be searched.

https://technet.microsoft.com/en-us/library/Hh305235.aspx

As the same windows user, logins in SharePoint through Claim based windows authentication or through ADFS, will be treated as different users in SharePoint.

So, you also need to verify that both users have permission to the resource you expect to return in search result.

Thanks,

Victoria

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 11:16pm

Hi Victoria,

Thanks for your suggestions. Strangely enough, I tried to recreate the issue on my DEV server and was not able to. I mean that search results are working as expected on the DEV server. Results are being returned for both ADFS and windows logins. It seems the error "IdentityClaim from STS differs from known type" is irrelevant because I get the same one on DEV even though I get results. I did mock up the site using the exact same settings for realm and ID provider etc.

Now I have to try and figure out what is different. The DEV server is just a single server so it is setup quite differently.

Any suggestions on things to look at? I will start with the Search service app and the web app permissions but if you can suggest anything else it would be appreciated.

Thanks again.


  • Edited by Lance G 17 hours 0 minutes ago
August 20th, 2015 10:41am

This is resolved now.

For other reasons, we needed to reconfigure our web application into separate zones. We decided to recreate it at this point, and also recreated the search service application while we were at it.

I've done a small test and results are coming back to users as expected.

Free Windows Admin Tool Kit Click here and download it now
August 20th, 2015 7:07pm

Hi Lance, 

Could you please let us know what exactly steps you followed to resolve this issue.



August 21st, 2015 2:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics