Hi,

We have an SP2013 farm with search running against some custom connectors which works fine (when searching from another site using Windows auth).  However, I set up a new site using Ping Federate as the Trusted Identity Token Issuer, which also works fine for authenitcation.  The problem is that Search fails with an obscure message:

Microsoft.Ceres.ContentEngine.Processing.BuiltIn.ClaimsConverterProducer : IdentityClaim from STS differs from known type: wb100o20onswg4lsnf1hs4dpnnsw332foj2gsy2forzhk32umvsdu3djnztwmzlemvgc4dfon1hgni

I had hoped Microsoft would have done something about the absolutely useless log entries and actually started to give us information we could work with.  The claims I am sending over are the upn, windowsaccountname, and primarysid.   Accessing the site works fine - it is only when searching that this error occurs.  Any ideas?

• Edited by Scott Hutter Tuesday, February 03, 2015 3:03 PM

If your best answer it to tells someone to Google something, then you clearly dont know.  How about just not reply if you have no clue?  I reported your response as demeaning and useless.

And that "top result" is useless.  Thats why Im here.

• Edited by Scott Hutter Tuesday, February 03, 2015 10:54 PM

Hello Scott,

Did you already find a solution? I am currently seeing the same error at a customer acceptance environment.

Out of curiosity, on which patch level are you in your farm?

Im sorry, I didnt. 

What's your configuration?

Are you able to log into SharePoint with the account that the crawler uses?

Does the web application use Trusted Provider only or multiple auth protocols?

Search works best with windows auth. It's recommended to keep NTLM/Negotiate in the default zone and extend the web application to a different zone for claims authentication.

Example: Set up two DNS records "internal_sp.company.com" and "sharepoint.company.com". Create your web application with the address https://internal_sp.company.com and NTLM or Negotiate for authentication. Extend it to another zone with the https://sharepoint.company.com and Trusted Provider for authentication. internal_sp.company.com should be used only by the crawler and must be in the Default zone in AAM (Alternate Access Mappings) configuration. Your users would then enter through sharepoint.company.com which authenticates with the STS, search would enter through internal_sp which authenticates with windows auth and everyone is happy.