Google Search Appliance Enabling Windows Integrated Authentication Google Search Appliance software version 7.
Google, Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 www.google.com GSA-WIA_100.03 July 2014 © Copyright 2014 Google, Inc. All rights reserved. Google and the Google logo are, registered trademarks or service marks of Google, Inc. All other trademarks are the property of their respective owners. Use of any Google solution is governed by the license agreement included in your original contract.
Contents Enabling Windows Integrated Authentication ............................................................... 4 About This Document Audience For More Information Overview Enabling Kerberos on the Search Appliance Using SAML Bridge with the Search Appliance Silently Authenticate Users with SAML Bridge Prerequisites for Using SAML Bridge Installing SAML Bridge Configuring SAML Bridge in IIS Configuring SAML Bridge in IIS 6.
Enabling Windows Integrated Authentication By default, Google Search Appliance users who search for and view secure content must enter credentials. In a Windows domain environment, you can configure the search appliance to use one of two methods that remove the need for redundant logins. The preferred method to enable Windows Integrated Authentication on the search appliance is to enable onboard Kerberos.
• The Authentication/Authorization for Enterprise SPI Guide. SAML Bridge is an application of the Google Search Appliance Authentication/Authorization SPI, for which it has the roles of Identity Provider and Policy Decision Point. These terms are explained in the SPI Guide. • A Google search on SAML (http://www.google.com/search?q=saml) can provide background information on the SAML protocol.
Using SAML Bridge with the Search Appliance It is preferable to achieve silent authentication by enabling Kerberos on the search appliance (called “Kerberizing”). However, if your implementation requires the use of SAML Bridge for authentication (see examples listed in the “Overview” on page 5, then SAML Bridge can be used to mediate between your users and your Windows domain. SAML Bridge is implemented as an ASP.NET website that resides in IIS.
To install SAML Bridge: 1. Start a web browser and navigate to http://code.google.com/p/googlesearchapplianceconnectors/ downloads/list. 2. Download the most recent version of Google Search Appliance Resource Kit for SharePoint package for your operating system (x86 or x64). 3. Unzip the package. 4. Locate the installer, which is the file with the extension msi. 5. Double-click the installer file. The Welcome screen is displayed. 6. Click Next. 7.
3. In the Application Settings section, click Create. 4. On the Execute Permissions drop-down list, ensure that the value is Scripts only. 5. Write down the name that appears on the Application Pool drop-down menu. You’ll use this name when you verify the configuration of the Application Pool. 6. Click the Directory Security tab. 7. In the Authentication and Access Control region, click Edit. The Authentication Methods dialog box is displayed. 8.
Verifying the Configuration in IIS 7 of the SAML Bridge Application Pool This process verifies that the Application Pool Identity for SAML Bridge is Network Service. 1. In the IIS Manager tree view, click to expand the Application Pools. 2. Select the name of the application pool that was configured for SAML Bridge and select Advanced Setting from the Actions pane. 3. Under Process Model, verify that the value of Identity is set to Network Service. 4. Click OK to close the dialog box.
5. Click OK. 6. In the Permissions for Everyone list, check the box in the Full Control row and the Allow column. 7. Click OK. Additional Steps to Configure SAML Bridge for POST Binding POST Binding requires a public key and private key pair that are used to encrypt and decrypt the response message from the SAML IdP. The SAML IdP uses the private key to encrypt the message, and the search appliance uses the public key to decrypt it.
Also, note the value of the Subject attribute in the Details tab. You will need it in the next step to grant SAML Bridge access to the certificate. Grant SAML Bridge Access to the Certificate In order for SAML Bridge to load the certificate that contains the private key, the Application Pool Identity that runs SAML Bridge requires permission to access the certificate. Check permissions using the WinnHttpCertCfg tool, which you might have to download.
You’ll see a response such as the following, which assumes that your domain is sam1 and your Windows account is davidd. Application Pool Identity = NT AUTHORITY\NETWORK SERVICE Your Windows account = sam1\davidd Use Login.aspx?subject=user@domain to test impersonation The NETWORK SERVICE keyword shows that SAML Bridge is properly configured to use Network Service. If Application Pool Identity is not set to Network Service, follow steps in “Verifying the Configuration in IIS 6.
Completing the Configuration Process Follow steps in this section to complete the configuration process. Checking Time Synchronization The system clock of the SAML Bridge host and the system clock of the search appliance must be synchronized to prevent the search appliance from invalidating authentication responses. The search appliance treats an authentication response as invalid if the timestamp of the response is not close to the time of the search appliance system clock.
For information on how to enable SSL for SAML Bridge, refer to the Microsoft IIS documentation. Performing a Test Search Perform a search of secure content. You should not be prompted to log in. You can now proceed to configure policy ACLs or a connector for authorization. Troubleshooting SAML Bridge for Authentication This section contains some troubleshooting tips that apply to authentication.
Only Some Accounts Can Be Impersonated Problem When you test impersonation (see “Verifying the SAML Bridge Configuration”), some users can be impersonated but others cannot. Suggestion There are many reasons why user security can be inconsistent. One method to resolve this problem is as follows: 1. Select a couple of users from the group that can be impersonated and a couple of users from the group that cannot be impersonated. 2. Open the Active Directory Users and Computers console. 3.
4. SAML Bridge checks the user's access to the search results content by impersonating the user to the content server. 5. If SAML bridge is using NTLM, it sends a headrequest on the user's behalf to content server. 6. If SAML Bridge is using Kerberos, it obtains a Kerberos ticket to use on the user's behalf. This is possible because the domain server is configured to enable SAML Bridge to impersonate the user to the content server. 7.
You can refer to an unsupported Wiki page on configuring Kerberos for more information (http:// code.google.com/p/google-saml-bridge-for-windows/wiki/ConfigKerberos). Important: If SAML Bridge is only used for authentication, Kerberos is not required on the content servers. However, because the search appliance requires the authorization service to be specified to allow the basic authentication prompt to be muted, you must properly configure SAML Bridge for authorization.
12. To select one or more services to which SAML Bridge will delegate, first identify the service type, and then select the name in the User or Computer column. To find the service type if the content server is a web server or SharePoint server, the service will be listed in the Service Type column as HTTP. To select the name of the services in the User or Computer column: • If users will access the content server using the NetBIOS name, select that name.
Configuring the Search Appliance to Use SAML Bridge for Authorization To configure the search appliance to use SAML Bridge for authorization, add a SAML rule for a URL pattern that the search appliance can use to send a SAML authorization request to the Policy Decision Point. To configure the search appliance to use SAML for authorization: 1. In the search appliance Admin Console, click Search > Secure Search > Flexible Authorization. 2. Choose SAML from the pull-down menu, and click Add another rule.
Authorization Testing Results in Indeterminate Status Problem When you run an authorization test, the permit code ‘Indeterminate’ appears and the following messages appear in the ac.log file. 3/13/2007 5:17:59 PM, GetPermission: after WindowsIdentity 3/13/2007 5:17:59 PM, GetPermission: AuthImpl::caught exception 3/13/2007 5:17:59 PM, GetPermission: Either a required impersonation level was not provided, or the provided impersonation level is invalid.
