Sysadminsblog.com Anything for sysadmins!

18Jan/120

Setting up SharePoint Claims Based Authentication with Azure

I ran into a couple of good articles on setting up Claims Based Authentication on SharePoint 2010 using Azure. In these pages Mike Hacker runs you through all the settings in the Azure ACS panel and SharePoint 2010.

Part 1:
http://blog.mikehacker.net/2011/04/21/sharepoint-authentication-using-windows-azure-access-controlpart-1/

Part2:
http://blog.mikehacker.net/2011/04/21/sharepoint-authentication-using-windows-azure-access-controlpart-2/

The only problem I found after following these guides was that the logon token cache expiration window expired way too fast. To solve this you'll have to set the LogonTokenCacheExpirationWindow to 1 minute instead of 10.

  1. Open the SharePoint 2010 Management Shell and run the commands below
  2. $StsC = Get-SPSecurityTokenServiceConfig
  3. $StsC.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes 1)
  4. $StsC.Update()
  5. iisreset
11Jan/120

Sharepoint Search Service: Access is denied

When I was working on getting the search working on my SharePoint 2010 Farm I ran into 2 problems. Both problems caused the same error:

Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled.

This is quite a clear error, but there might be a couple of solutions that are less obvious.

Solution 1

Disable loopback check.

  1. Click Start, click Run, type regedit, and then click OK
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Right-click Lsa, point to New, and then click DWORD Value
  4. Type DisableLoopbackCheck, and then press ENTER
  5. Right-click DisableLoopbackCheck, and then click Modify
  6. In the Value data box, type 1, and then click OK
  7. Quit Registry Editor, and then restart your computer

Solution 2

Specifically when you're crawling the people search (sps). Make sure that the default content access account (crawl account) has access to the User Profile Service

  1. Open the Central Administration and go to Application Management
  2. Click Manage service application in the Service Application section
  3. Select the User Profile Service Application and click on Administrators
  4. Add your content access account and give it the Retrieve People Data for Search Crawlers permission

Hope this helps you!