none
User claim token not updated in FAST FSA Worker RRS feed

  • Question

  • I have been trying to test search security in last several days, what I've found is that user claim token is not always updated in FSA Worker. After I added a test user to AD group, which is part of a site group, the test user can visit the SharePoint site; but he can not search the content in the SharePoint site. I ran incremental crawl and full crawl, but neither trigger the update of security that allow the test user to search.

    So I turned on the FSA log level to INFO and capture the user's claim token. Under the "ClaimType:http://schemas.microsoft.com/sharepoint/2009/08/claims/sidcompressed", I can NOT find the SID of the AD group that just got added to the user (Details in this blog post: http://federatedfast.wordpress.com/2010/09/29/does-the-searcher-belong-to-a-group-that-has-permissions-to-the-document-2/). 

    Does anyone here know what will trigger the user claim token to be updated so the user can search the content?

    Thanks

    Ben

    Wednesday, September 29, 2010 7:13 PM

All replies

  • Hi Ben,

    Have you executed the following Power Shell commands on all QRServers?

    New-FASTSearchSecurityClaimsUserStore -id win
    Set-FASTSearchSecurityDefaultUserStore -DefaultUserStoreId win

    Regards,

    Fads

    Sunday, December 12, 2010 11:25 PM
  • Thanks for your response. Do you know what would be changed with the steps you suggested?

    Out of the box, win is the only claim user store (through Get-FASTSearchSecurityClaimsUserStore) and it is also the default user store already (Get-FASTSearchSecurityDefaultUserStore). 

    Premier support has spent 2 months on this, still couldn't figure out what is going on.

    Thanks

    Ben

    Tuesday, December 14, 2010 4:44 PM
  • Hi Ben,

    Were you able to find a solution on this? I am having the same problem where I added a user to another AD group but during search, the user security filter generated by the SAM worker does not include the encoded sid of the new AD group the user belongs to.

    Any feedback is greatly appreciated.

    Thanks,

    Ken

    Wednesday, March 14, 2012 3:52 PM