How to enable anonymous search in search server express 2010

searchsharepointuser-permissionswindows-server-2008

I am crawling a local file share that has read permissions for NT AUTHORITY\NETWORK SERVICE account.

I have enabled anonymous access and now I am able to get to my search box without authentication. But when I actually search for something I get no results back. I am able to get results when using the administrator account.

Changing ACL permissions and reindexing now give my local user access to the search results but my ultimate goal is to have the results viewable by an anonymous user.

admin view

anonymous view

Best Answer

What you are seeing is actually what I would expect, that is, Search Server challenges the credentials of the user performing the search regarding the ACL of the indexed files and only grant access if the user has proper read permissions regarding the files themselves (i.e. not just the search interface), see e.g. Security considerations for indexing, section About item level security:

When source content is crawled and indexed, authorization information is added to each item’s managed properties (the item’s ACL, or access control list), identifying users and groups that are granted or denied access to the item. Item ACLs help set up item level security by tagging each item with access permissions.

When a user submits a query and the indexes find search results, the query processing service rewrites the user’s query so that the user only sees items that he is authorized to see. This security trimming [...]

Your example seems to imply that the files in question can only be read by NT AUTHORITY\NETWORK SERVICE, hence surfacing those files content via a search index would circumvent the access restrictions consciously applied to them in the first place, and not doing so seems like a sensible default at least (if not the only option in fact).

Consequently you should be able to achieve the desired result by one or (maybe) two means:

Grant anonymous users (or your local test account for an easier/safer start) access to the files themselves via standard Windows ACL management. Please note that you'll likely need to reindex the content to surface the ACL changes in the query result, see quote above.
Eventually Search Server allows to override or ignore the ACL of an indexed fileset explicitly - I'm not aware of this option however (but ain't too familiar with Search Server either).

Good luck!

Related Solutions

Locked out of Sharepoint (but I’m admin!)

Can you try this?

http://technet.microsoft.com/en-us/library/cc262811.aspx

stsadm -o setsitelock 

   -url <URL name> 

   -lock {none | noadditions | readonly | noaccess}

Why can’t I browse the D: drive, even if I’m in the Administrators group

Sounds like UAC to me and access to the drive requires elevation - what happens if you run a cmd shell as Administrator (while running as your Maintenance account)? Can you see the contents of the drive then? Local Administrator and Domain Admins are automatically elevated when needed under 2008 by default, I don't think mere members of the administrators account are.

Edited to add:

You can modify this behaviour by Group Policy however bear in mind that the default is set that way intentionally - the specific policy you want to change is "User Account Control: Run all administrators in Admin Approval Mode" - you can find details on how to do this in this MSDN article.

Best Answer

Related Solutions

Locked out of Sharepoint (but I’m admin!)

Why can’t I browse the D: drive, even if I’m in the Administrators group

Related Topic