Google Search Appliance

Skip over site navigation

• Search Appliance

  • Overview
  • Documentation Home

• Enabling Windows Integrated Authentication

• Support Resources

  • Frequently Asked Questions
  • Google Search Appliance/Google Mini Group
  • Contact Support

Enabling Windows Integrated Authentication

Google Search Appliance software version 5.0
Posted October 2007

Google SAML Bridge for Windows lets you integrate Google Search Appliance into a Windows domain environment, to provide a better search experience for your users. By default, a Google Search Appliance user who searches for and views secure content must enter credentials at an authentication stage and a results authorization stage. The Google SAML Bridge for Windows enables the search appliance to use the user's Windows domain login credentials and removes the need for redundant logins.

Table of Contents

About This Document
Overview
Meeting the Prerequisites
Downloading and Unpacking the SAML Bridge
Configuring the SAML Bridge in IIS
Granting the "Act as Part of the Operating System" Privilege
Verifying the Setup
Setting Up and Using the Google Search Appliance Simulator
Deploying to a Production Environment
Troubleshooting

About This Document

This section describes the audience for this document, some terminology that you should be aware of, and some additional sources of information.

Audience

This document assumes that you are an experienced Windows administrator. You must have privileges to configure Active Directory and to configure the Internet Information Services (IIS) server that will host the SAML Bridge, or access to someone who can do that.

Terminology

In this document, Internet Information Services (IIS) servers are used in two ways:

• An IIS server that is used to host the SAML Bridge is called a SAML Bridge host.
• IIS servers that can host content are called content servers.

When this document refers to the Windows networking protocol SMB/CIFS, it uses the term Common Internet File System (CIFS), to match the user interface of the components you'll be configuring. Other search appliance documentation refers to the same protocol by using the term Server Message Block (SMB).

For More Information

For background information on the technology described in this document, refer to these sources:

• The topic Serve for Controlled Access Content, in the document Managing Search for Controlled-Access Content: Crawl, Index, and Serve and the online help topics on the pages cited in that topic.
• The Google Enterprise Authentication/Authorization SPI Guide. The SAML Bridge is an application of the Google Search Appliance Authentication/Authorization SPI, for which it has the roles of Identity Provider and Policy Decision Point. These terms are explained in the SPI Guide.
• A Google search on SAML can provide background information on the SAML protocol.

Overview

Google SAML Bridge for Enterprise facilitates authentication and authorization for search results, mediating between your users and your Windows domain. It allows users to gain seamless access to content that resides on file systems, web servers, or Microsoft Office Sharepoint servers. The SAML Bridge is implemented as an ASP.NET website that resides in IIS.

This overview describes the role of the SAML Bridge in the lifecycle of a search query:

1. A user creates a search query that includes secure content.
2. The search appliance uses its Authentication SPI to redirect the user to the SAML Bridge. The SAML Bridge uses Kerberos to authenticate the user.
3. The search appliance determines the search results for the user. If the results include secure content, the search appliance uses the Authorization SPI to send an authorization request to the SAML Bridge. The SAML Bridge must then verify the user's permissions to view the results.
4. The SAML Bridge obtains a Kerberos ticket to use on the user's behalf. This is possible because the domain server is configured to enable the SAML Bridge to impersonate the user to the content server.
5. The SAML bridge checks the user's access to the search results content by impersonating the user to the content server.
6. The SAML bridge sends a Permit message or Deny message to the search appliance, which displays the permitted content but does not display the denied content.
   

Meeting the Prerequisites

Before installing the SAML Bridge, you'll need to check software versions and perform some configuration.

This section covers the following prerequisites:

• Content server prerequisites
• SAML Bridge host prerequisites
• Kerberos prerequisites
• Active Directory and domain controller prerequisites

Content Server Prerequisites

You can use the SAML Bridge with file shares or other content servers. The following content servers were tested:

• IIS content servers.
  • IIS 5 on Windows Server 2000
  • IIS 6 on Windows Server 2003
  • IIS 5 and IIS 6 with Network Load Balancing (NLB)

    To verify the version of IIS, do this: From the Start menu, point to Administrative Tools, then click Internet Information Services (IIS) Manager. In IIS Manager, choose Help > About.

• File share content servers.
  • Windows file share
  • Server Cluster File Share, using Microsoft Cluster Service
• SharePoint content servers.
  • SharePoint Portal Server 2003 and Windows SharePoint Services 2.0.
  • SharePoint Server 2007 and Windows Sharepoint Services 3.0

SAML Bridge Host Prerequisites

The following prerequisites apply to the IIS server that hosts the SAML Bridge:

• IIS must be at version 6.0 or above. To verify the version of IIS, do this: From the Start menu, point to Administrative Tools, then click Internet Information Services (IIS) Manager. In IIS Manager, choose Help > About.
• The server must be running the .NET Framework Version 2.0 or above. To verify the version, in the IIS Manager tree view, under the host name, click Web Service Extensions. In the Web Service Extensions panel, look for ASP.NET v2.0 or later.

Kerberos

Kerberos must be running on each content server whose content requires authorization.

To verify whether Kerberos is being used, you can use tools such as Windows Network Monitor or tcp trace or a browser extension that shows HTTP headers. You can view the headers that result from any communication with the content server. The content server should send the following header if Kerberos is in use.

WWW-Authenticate: Negotiate

For example, in the following header, look for the Negotiate header in the server responses.

GET /ac/login.aspx HTTP/1.1 
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* 
Accept-Language: en-us 
UA-CPU: x86 
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: myhost
Connection: Keep-Alive
    
HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate 
WWW-Authenticate: NTLM
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 26 Sep 2007 21:26:01 GMT 

You can refer to an unsupported Wiki page on configuring Kerberos for more information.

Active Directory and Domain Controller Prerequisites

The domain controller that is running Active Directory must meet the following requirements:

• Windows Server 2003 Kerberos Extension must be available. Kerberos is used for authentication between the SAML Bridge and the content server.
• The domain functional level must be set to Windows Server 2003. Refer to the Microsoft Technet site for instructions about how to raise the domain functional level.
• Active Directory must be configured to permit the SAML Bridge to use delegated credentials from the user to access content on the content server. The procedure for configuring Active Directory follows.

To configure Active Directory to permit the SAML Bridge to use delegated credentials, follow this procedure:

1. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
2. In the tree view, click Computers.
3. In the right pane, select the server that hosts the SAML Bridge, right click, and select Properties.
4. In the Properties dialog, click the Delegation tab.
5. Select Trust this computer for delegation to specified services only.
6. Select Use any authentication protocol.
7. Click the Add button. The Add Services dialog appears.
8. Click the Users or Computers button. The Select Users or Computers dialog appears.
9. Under Enter the object names to select, you must now enter the Service Principal Name (SPN) for the Kerberized content server to which the host of the SAML Bridge will delegate.
• If you are using Network Service to run an HTTP service, enter the name of the content server.
• If you are using a domain account to run an HTTP service, enter the name of the domain account.
• If you are using Microsoft Cluster Server to run a CIFS server, enter the Network Name of the group that contains the file share.
10. Optionally, click Check Names to verify that you entered the name correctly.
11. Click OK. The Add Services dialog reappears, showing the available services for the object whose SPN you specified.
12. To select one or more services to which the SAML Bridge will delegate, first identify the service type, and then select the name in the User or Computer column.

    To find the service type:

• If the content server is a web server or SharePoint server, the service will be listed in the Service Type column as HTTP.
• If the content server is a filesystem, the service will be listed in the Service Type column as CIFS.

To select the name of the services in the User or Computer column:

• If users will access the content server by using the NetBIOS name, select that name.
• If users will access the content server by using a DNS alias, select the DNS alias.
• If the content server is a load balanced web server, select the associated virtual host name. You'll also need to select the NetBIOS name of each physical server represented by the virtual host.
13. Click OK. The Properties dialog now reappears. Under Services to which this account can present delegated credentials, you can see the list of services that you just specified.
14. Click OK to close the Properties dialog and then close the Active Directory Users and Computers snap-in.

Downloading and Unpacking the SAML Bridge

You can install the SAML Bridge on any IIS server that meets the prerequisites listed above.

To install the SAML Bridge software, do the following:

1. Download the SAML Bridge package from http://code.google.com/p/google-saml-bridge-for-windows/downloads/list.
2. Unpack the download to a local directory on the server.

There are two sub folders:

• The saml-bridge directory contains the SAML Bridge.
• The gsa-simulator directory contains a simulator that you use to test the SAML Bridge before connecting it to the search appliance.

Configuring the SAML Bridge in IIS

The SAML Bridge for Enterprise is implemented as a virtual directory that runs in IIS.

Creating a Virtual Directory for the SAML Bridge

You must now create the virtual directory in IIS.

1. From the Start menu, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the IIS Manager tree view, expand the machine name, and then expand Web Sites.
3. Right click the web site under which you want to install the SAML Bridge and select Virtual Directory.

   The Virtual Directory Creation Wizard appears.

4. Click Next.
5. On the Virtual Directory Alias page, in the Alias field, enter saml-bridge and then click Next.
6. On the Web Site Content Directory page, click Browse and navigate to the directory where you unpacked the SAML Bridge.
7. Select the subfolder called saml-bridge, and then click OK.
8. Back on the Web Site Content Directory page, click Next.
9. On the Virtual Directory Access Permissions page, select Read and Run Scripts (such as ASP), and then click Next.
10. Click Finish to exit the wizard, but leave IIS Manager open.

Setting Web Application Properties of the SAML Bridge

When you configured the virtual directory to run scripts such as ASP, you configured it as a web application. You'll now configure the web application.

1. In the IIS Manager tree view, under Web Sites, find the virtual directory called saml-bridge, which you created in the previous procedure.
2. Right click the virtual directory saml-bridge, and select Properties. The Properties dialog appears, showing the default tab Virtual Directory.
3. In the Execute permissions drop-down, ensure that the value is Scripts only.
4. Write down the name that appears in the Application Pool drop-down menu.
5. Click the Directory Security tab.
6. In the Authentication and Access Control region, click Edit. The Authentication Methods dialog appears,
7. Select Enable anonymous access if it is not already selected, and clear any options that are selected in the Authenticated access region.
8. Click OK to close the Authentication Methods dialog and then click OK to close the Properties dialog.

Now you have created the saml-bridge virtual directory and configured it as a web application.

Configuring Authentication Requirements for the Login.aspx File

The Login.aspx file is the component of the SAML Bridge that authenticates the user. When a user makes a secure search request, the search appliance redirects the request to this Login.aspx file for authentication, as described in the Overview section.

You will now configure the Login.aspx file to require authentication, so that the user's browser sends Windows login credentials.

1. In the IIS Manager tree view, under Web Sites, locate and select saml-bridge.
2. In the list view on the right, right click the file Login.aspx, and select Properties. The Properties dialog appears.
3. Click the File Security tab.
4. In the Authentication and Access Control region, click Edit.
5. In the Authentication Methods window that appears, deselect Enable anonymous access and select Integrated Windows Authentication.
6. Click OK to close the Authentication Methods dialog and then click OK to close the Properties dialog.

This file is treated differently from other files in the saml-bridge website. This file requires authentication, but the search appliance needs anonymous access to other files under the virtual directory.

Verifying the Configuration of the SAML Bridge Application Pool

This process verifies that the Application Pool identity for the SAML Bridge is Network Service.

1. In the IIS Manager tree view, click to expand Application Pools.
2. Right click the name of the application pool that was configured for saml bridge and select Properties.
3. In the Properties dialog, click the Identity tab.
4. In Application pool identity, verify that Predefined is selected and that Network Service is selected in the drop-down menu.
5. Click OK to close the Properties dialog.

Modifying the Windows Registry

This step is required only if the same IIS server is both a SAML Bridge host and a content server.

To avoid problems that occur when the SAML Bridge attempts to access the local web files, you'll need to update the Registry, by following the instructions in Microsoft KB article 896861.

Granting the "Act as Part of the Operating System" Privilege

When the search appliance sends an authorization request with a user name, the SAML Bridge can generate a Windows token by impersonation, but it can use the token to access remote resources only if it has the privilege "Act as part of the operating system." The Network Service that represents the identity of the SAML Bridge Application Pool must now be configured to act as part of the operating system, if it is not already configured that way.

In some environments, you can't configure a host individually, because the domain controller sets security settings for all hosts in the domain. If your environment is set up that way, you'll need to get access to the domain controller or to ask its administrator to perform this configuration.

If you can configure the SAML Bridge host, do the following:

1. Open Control Panel > Administrative Tools > Local Security Settings.
2. In the left panel, select Security Settings > Local Policies > User Rights Assignment.
3. Open Act as part of operating system.
4. In the Act as part of the operating system Properties dialog, click Add User or Group.
5. In the Add User or Group dialog, enter Network Service and click OK. The Act as part of the operating system Properties dialog reappears, with Network Service in the box.
6. Click OK to close the Properties dialog.

Verifying the Setup

Before proceeding, you now need to verify the configuration as follows:

1. Verify the configuration of the SAML Bridge
2. Test impersonation

Verifying the Configuration of the SAML Bridge

This step verifies that the Application Pool of the SAML Bridge is using Network Service and that the SAML Bridge can obtain a user's identity.

In the address field of an Internet Explorer browser, enter http://your_saml_bridge_host/saml-bridge/Login.aspx.

You'll see a response like the following, which assumes that your domain is sam1 and your Windows account is davidd.

Application Pool Identity = NT AUTHORITY\NETWORK SERVICE
Your Windows account   =  sam1\davidd
Use Login.aspx?subject=user@domain to test impersonation

The NETWORK SERVICE keyword shows that the SAML Bridge is properly configured to use Network Service. If Application Pool Identity is not set to Network Service, follow the steps in Verifying the Configuration of the SAML Bridge Application Pool.

In the response, you'll see your own domain and login information, because you accessed the file. When the system is in use, the file obtains the domain and login information for each authenticated user.

Testing Impersonation

This step checks that Active Directory is configured to allow delegation by the SAML Bridge. You specify a domain and username, and the test returns a message that is written using the user's identity.

In the address field of an Internet Explorer browser, enter http://your_saml_bridge_host/saml-bridge/Login.aspx?subject=user@domain, in which user@domain is any domain user. You should not be prompted for credentials. If you are prompted for credentials, refer to the section Troubleshooting.

If your SAML Bridge host is myhost, your username is jeff, and your domain is inside-sales, you'd enter the following address:

http://myhost/saml-bridge/Login.aspx?subject=jeff@inside-sales

Text like the following appears in the browser:

Obtained Windows identity for jeff@inside-sales
This message was written using the identity of jeff@inside-sales
Impersonation successful!  

Repeat this test with a variety of user accounts, to ensure that the SAML Bridge can impersonate various users.

Setting Up and Using the Google Search Appliance Simulator

A Google Search Appliance simulator lets you test that the SAML Bridge can gain authorization for resources on the content server, without involving the complexity of the search appliance. Once you know that the SAML Bridge works, you can reconfigure it to work with the search appliance.

Like the SAML Bridge, the simulator is implemented as a .NET web application. When you configure the simulator, you'll repeat some of the steps you took to configure the SAML Bridge. The simulator is in the SAML Bridge sub folder /gsa-simulator/.

The steps are as follows:

• Creating the virtual directory for the simulator
• Configuring the simulator web application
• Configuring the simulator to communicate with the SAML Bridge
• Configuring the SAML Bridge to communicate with the simulator
• Running a test

You perform all these steps on the host on which you installed the SAML Bridge and simulator.

Creating a Virtual Directory for the Simulator

You must now create a virtual directory in IIS for the simulator.

1. If IIS Manager is not already open, open it now. From the Start menu, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the IIS Manager tree view, expand the machine name, and then expand Web Sites.
3. Right click the web site under which you installed the SAML Bridge, and then select New Web Virtual Directory.

   The Virtual Directory Creation Wizard appears.

4. Click Next.
5. On the Virtual Directory Alias page, in the Alias field, enter gsa-simulator and then click Next.
6. On the Web Site Content Directory page, click Browse and navigate to the directory where you unpacked the SAML Bridge.
7. Select the subfolder called gsa-simulator, and then click OK.
8. On the Virtual Directory Access Permissions page, select Read and Run Scripts (such as ASP), and then click Next.
9. Click Finish to exit the wizard.

Configuring the Web Application for the Simulator

You'll now configure the web application.

1. If IIS Manager is not already open, open it now. From the Start menu, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the IIS Manager tree view, under Web Sites, find the virtual directory, gsa-simulator, that you created in the previous procedure.
3. Right click gsa-simulator and select Properties. The Properties dialog appears, showing the default tab Virtual Directory.
4. In the Execute permissions drop-down, ensure that the value is Scripts only.
5. Click the Directory Security tab.
6. In Authentication and access control, click Edit. The Authentication Methods dialog appears,
7. Select Enable anonymous access if it is not already selected, and clear any options that are selected in Authenticated access.
8. Click OK to close the Authentication Methods dialog and then click OK to close the Properties dialog.

Now you have created the gsa-simulator virtual directory and configured it as a web application.

Configuring the Simulator to Communicate with the SAML Bridge

The search appliance simulator lets you examine the communication flow between the SAML Bridge and search appliance. These steps configure the simulator by providing it with the location of the SAML bridge:

1. In File Explorer, go to the subfolder gsa-simulator.
2. In that subfolder, open the file Web.config for edit.
3. Scroll to the bottom to find <appSettings>. You'll see the following lines:

   <add key="ac" value="http://saml-bridge-hostname/saml-bridge/" />

4. Replace saml-bridge-hostname with the name of the host. Do not use "localhost"; an actual host name is required.
5. Save the file and exit.

Configuring the SAML Bridge to Communicate with the Simulator

These steps configure the SAML Bridge by providing it with the location of the simulator.

1. In File Explorer, go to the subfolder saml-bridge.
2. In that folder, open the file Web.config for edit.
3. Scroll to the bottom to find <appSettings>. You'll see the following lines:

   <add key="provider" value="SAMLServices.Wia.AuthImpl"/>
   <add key="log_level" value="error"/>
   <!-- gsa uses Https for artifactConsumer -->
   <!--add key="artifact_consumer" value="https://gsa_host/SamlArtifactConsumer"/-->
   <!-- this is the GSA simulator -->
   <add key="artifact_consumer" value="http://host_name/gsa/SamlArtifactConsumer.aspx"/>

4. In the second line, change the value of log_level to debug. You'll reset the value to error when you're ready to deploy the SAML Bridge, for performance reasons.

   Notice the fourth and sixth lines, which are similar. These lines specify the artifact_consumer, which is a URL for the service to which the SAML Bridge sends information. The fourth line is a configuration to use with the search appliance and the sixth line is a configuration to use with the simulator.

5. In the sixth line, replace host_name with the SAML Bridge hostname.
6. Save the file and exit.

Later, when you're ready to deploy the SAML Bridge to a production environment, you'll reverse this process, to enable the SAML Bridge to communicate with the search appliance rather than the simulator.

Running a Test

To test the SAML Bridge by using the simulator, do the following:

1. Identify a URL and verify that you have access.
   • For web site content, pick a URL on the content server that you have access to. Open a browser, type in the URL and see whether you can access it.
   • For file share access, pick a file that you have access to, open a Windows File Explorer and see whether you can access the file.
2. Choose a URL to which you do not have access and verify that you do not have access.
   • For web site content, pick a URL on the content server that you have access to. Open a browser, type in the URL and see whether you can access it.
   • For file share access, pick a file that you have access to, open a Windows File Explorer and see whether you can access the file.
3. In a browser, type the address of your simulator, using the following format. Replace your_saml_bridge_host with the correct hostname.

   http://your_saml_bridge_host/gsa-simulator/Default.aspx

   The browser window displays a link with this text: "Click this link to simulate a secure document search."

4. Click the link.

   The file Search.aspx appears. This simulated search page lets you specify a file or URL resource whose authorization you want to test. In response, you receive feedback about whether you are permitted access to the specified resource.

5. Enter a URL into the field. Specify one of the URL or file resources that you picked earlier, either one that you do have access to or one that you don't have access to. Note that this page requires that if you want to test a file on a file share, you must specify the URL by including the SMB protocol name, using the following format:

   SMB://rest-of-url

6. Click Submit. The page returns an authorization response XML file. In the file, locate the Decision code. You'll see a "permit" code for content to which you have access and a "deny" code for content to which you do not have access.

   This is an example of a permit code:

   • <saml:AuthzDecisionStatement Resource="http://contentvm10/test2.html" Decision="Permit">

   This is an example of a deny code:

• <saml:AuthzDecisionStatement Resource="http://contentvm10/test2.html" Decision="Deny">

If the content server is down, or if there are configuration errors, the response contains the following:

• <saml:AuthzDecisionStatement Resource="http://contentvm10/test2.html" Decision="Indeterminate">

Once you have successfully used the SAML Bridge with the simulator, you can set up communication between the SAML Bridge and your search appliance.

Deploying to a Production Environment

If you haven't already configured the search appliance to crawl your secure content, do it now. In the Admin Console, do the following:

• Specify the crawl patterns and crawl URLs on the Crawl and Index > Crawl URLs page.
• Specify credentials for crawling controlled access content on the Crawl and Index > Crawler Access page.
• Verify that the secure content has been crawled by looking at the Status and Reports > Crawl Diagnostics page.

You are now ready to set up your environment.

Configuring the Search Appliance to Use the SAML Bridge

You must now configure the Google Search Appliance so that it uses the SAML Bridge for authentication and authorization. You do this by configuring it to use the authentication SPI and the authorization SPI.

To configure the search appliance, do the following:

1. In the search appliance Admin Console, display Serving > Access Control.
2. Under Authentication SPI, enter the following:
• For User Login URL, enter http://your_ac_host/ac/Login.aspx, where your_ac_host is the name of the host on which the SAML Bridge is installed
• For Artifact Service URL, enter http://your_ac_host/ac/Resolve.aspx.
3. Under Authorization SPI, for Authorization Service URL, enter http://your_ac_host/ac/Authz.aspx.
4. Select Disable prompt for Basic authentication or NTLM authentication.
5. Click Save Settings.

SSL is required by the SAML artifact consumer URL on the Google Search Appliance, but not by the search page or SAML Bridge. However, if you do not enable SSL on both the Google Search Appliance and SAML Bridge host, secure searches display warnings about redirection to secured sites from non-secured sites. Therefore, Google recommends that you enable SSL on both the Google Search Appliance and SAML Bridge.

For information on how to enable SSL for the Google Search Appliance, in the Admin Console, click Administration > SSL Settings. Use the online help that is available from that page for information.

For information on how to enable SSL for SAML Bridge, refer to the Microsoft IIS documentation.

Configuring the SAML Bridge to Communicate with the Google Search Appliance

In a previous step, you configured the SAML Bridge to communicate with the simulator. Now you must reconfigure the SAML Bridge so that it communicates with the search appliance instead of the simulator.

1. In File Explorer, go to the subfolder saml-bridge.
2. In that folder, open the file Web.config for edit.
3. Scroll to the bottom to find <appSettings>. You'll see the following lines:

   <add key="provider" value="SAMLServices.Wia.AuthImpl"/>
   <add key="log_level" value="debug"/>
   <!-- gsa uses Https for artifactConsumer -->
   <!--<add key="artifact_consumer" value="https://gsa_host/SamlArtifactConsumer"/>--> 
   <!-- this is the GSA simulator -->
   <add key="artifact_consumer" value="http://host_name/gsa/SamlArtifactConsumer.aspx"/>

4. In the second line, change the value of log_level from debug to error.
5. Uncomment the fourth line and add comment notation to the sixth line.
6. In the fourth line, replace gsa_host with the hostname or IP address of your search appliance.
7. Save the file and exit.

Ensuring Connectivity Between the Google Search Appliance and SAML Bridge

It's important to make sure that the two systems can communicate with each other, as follows:

1. In the Admin Console, go to Administrator > Network Settings.
2. In Network Diagnostics, enter the URL for the Login.aspx file into the URLs to Test box, as follows: http://your_ac_host/ac/Login.aspx, where your_ac_host is the name of the host on which the SAML Bridge is installed.
3. Click Update Settings and Perform Diagnostics.

If you discover problems here, check for network connectivity issues as you would for any two hosts.

Checking Time Synchronization

The system clock of the SAML Bridge host and the system clock of the search appliance must be synchronized, to prevent the search appliance from invalidating authentication responses. The search appliance treats an authentication response as invalid if the timestamp of the response is not close to the time of the search appliance system clock.

Take measures to verify that these system clocks are synchronized.

If your environment uses the Network Time Protocol (NTP), do the following:

1. Check that NTP is running on your network.
2. Test that the search appliance is configured to use NTP, as follows:
   1. In the search appliance Admin Console, go to Administration > Network Settings.
   2. Make sure that the NTP server is specified.
   3. Use the Network Diagnostics box to test connectivity between the search appliance and the NTP server.
3. Check that NTP is running on the SAML Bridge host, on the content servers, and on the domain controller.

Performing a Test Search

Perform a search that includes secure results and check that the results match your expectations. If problems occur, refer to the next section, Troubleshooting.

Troubleshooting

This section contains some troubleshooting tips. These are some general tips for narrowing your problem:

• If one account can't be impersonated, try a different account.
• If one URL doesn't work, try another.
• If one content server can't be authorized, set up a very simple web server and use it as the content server.
• Set the log level in the SAML Bridge web.config file to "debug," and then view the ac.log file for log messages.
• Monitor these additional files: the web server log, the Windows audit events in the event viewer, and the results produced by Kerberos tracing tools.

You Are Prompted When Testing Impersonation

Problem

In the step in which you test impersonation and access http://your_saml_bridge_host/saml-bridge/Login.aspx, you are prompted to enter your username and password, although you should not be prompted.

Resolution

If you enter credentials and are granted access, the cause for this problem can be one of the following:

• The security for the Login.aspx file security was incorrectly set up.
• Your Internet Explorer browser is using enhanced security settings, and the host of SAML Bridge is not recognized as an Intranet site.

If you enter credentials but are not granted access, the Kerberos configuration may be incorrect and might have duplicate SPNs configured. Contact Microsoft Support.

Only Some Accounts Can Be Impersonated

Problem

In the step in which you test impersonation, some users can be impersonated but others cannot.

Suggestion

There are many ways in which user security can be inconsistent. This is one technique for resolving this problem:

1. Select a couple of users from the group that can be impersonated and a couple of users from the group that can't be impersonated.
2. Open the Active Directory Users and Computers console.
3. Click View > Advanced.
4. Select a user account that cannot be impersonated and double click to display the Properties window.
5. Select the Security Window.

   By default, the permissions for Authenticated Users is Read.

6. If this user does not have Read access, grant Read access to the user.
7. Click Apply and then click OK.

Authorization Testing Results in Indeterminate Status

Problem

In the step in which you run an authorization test, the permit code "Indeterminate" appears, and the following messages appear in the ac.log file.

3/13/2007 5:17:59 PM, GetPermission: after WindowsIdentity
3/13/2007 5:17:59 PM, GetPermission: AuthImpl::caught exception
3/13/2007 5:17:59 PM, GetPermission: Either a required impersonation level was not 
      provided, or the provided impersonation level is invalid. 

Suggestion

This error indicates that the host on which the SAML Bridge resides might have an incompatible version of the .NET framework. Refer to the section Web Server Prerequisites for the correct version.

If you've checked the .NET version and determined that it meets the requirements, you can reconfigure the .NET framework for IIS as follows:

cd C:\WINDOWS\Microsoft.NET\Framework\your-version\ 
aspnet_regiis.exe -i

When the command is done reconfiguring your IIS server to use the specified version of .NET, it displays a message like the following:

Finished installing ASP.NET (2.0.50727). 

Authorization Error

Problem

The log file shows a 401 error (unauthorized). The following is an example.

 1/4/2007 9:14:19 AM, GetURL: GetURL =http://host.domain.domain.com:82/deny.html
 1/4/2007 9:14:19 AM, GetURL: inside GetURL internal
 1/4/2007 9:14:19 AM, GetURL: Sending a Head request to target URL
 1/4/2007 9:14:19 AM, GetPermission: AuthImpl::caught WebException
 1/4/2007 9:14:19 AM, GetPermission: e = System.Net.WebException: The remote server returned an 
             error: (401) Unauthorized.
      at System.Net.HttpWebRequest.CheckFinalStatus()
      at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
      at System.Net.HttpWebRequest.GetResponse()
      at SAMLServices.Common.GetURL(String url, ICredentials cred)
      at SAMLServices.Common.GetURL(String url)
      at SAMLServices.Wia.AuthImpl.GetPermission(String url, String subject)

Suggestion

This problem is typically a result of Kerberos configuration problems. Check that Kerberos is set up, using the procedure specified in the Prerequisites section.

More Troubleshooting Steps

For more troubleshooting steps, visit the SAML Bridge wiki.