Indexing Service

Danielb_ed · September 5th, 2003, 07:54 AM

I having been trying to implement a company intranet with full searching of files throughout the companies domain.
I have been running into problems when I try to search from any machine but the one the asp page is located on.

To summarise(or explain in depth) :

I have a webserver with my search page running.
This page connects to the indexing services on other renote machines using the msidxs provider.
The IIS permissions are set to integrated windows authentication.
The page when searched from the web server returns results with the correct security permissions.
When the page is accessed from a remote machine (in the correct domain) I get a returned message of :

Invalid Catalog Name 'CATALOGNAME' SQLSTATE=42000

My ASp code briefly looks like this (only showing the connect and search bits)

Code:

    set AdoConnection = Server.CreateObject("ADODB.Connection")
    set AdoCommand = Server.CreateObject("ADODB.Command")
    AdoConnection.ConnectionString = "provider=msidxs"
    AdoConnection.Open 
    set AdoCommand.ActiveConnection = AdoConnection

    SelectColumns = ' relevant columns from indexing service
    SelectString = "Select " + SelectColumns + " from (Table remotemachine1.CatalogName..Scope() 
        UNION ALL TABLE remotemachine2.CatalogName..Scope()) " 

    Composer = ""
    TheQuery = ""

    if SearchString <> "" then
        TheQuery = "Contains('""" + SearchString + """')"
        Composer = " and "
    end if

    if Author <> "" then
        TheQuery = "Contains(DocAuthor,  '""" + Author + """') " + Composer + TheQuery
        Composer = " and "
    end if

    if Modified <> "" AND Modified <> "any" then
        if FMMod <> "since" then
            TheQuery = "(Write > " + Modified + ") " + Composer + TheQuery
        else
            TheQuery = "(Write > '" + ModifiedDate + "') " + Composer + TheQuery
        end if
    end if

    if TheQuery <> "" then
        SelectString = SelectString +  " where " + TheQuery +" "+ SortBy
    else
        SelectString = SelectString + SortBy +" "
    end if

    AdoCommand.CommandText = SelectString

    set RS = Server.CreateObject("AdoDB.Recordset")

    if MaxResults <> -1 then
       RS.MaxRecords=MaxResults
    end if
    RS.Open AdoCommand

Any help would be greatly appreciated, I have been stumped for a day or so and am begining to feel stupid,

Cheers

Dan

Danielb_ed · September 8th, 2003, 03:40 AM

The context in which the query runs has to have access to the network in order for the query to a remote machine to work.

With Windows Integrated authentication, the identity in IIS is such that it can't be used to get on the network. This is actually a security feature. Otherwise you could write an app on your IIS machine that steals the context and reads/sends mail or anything else in the context of the user issuing the query. Very dangerous.

There are a few work-arounds.

1) Use BASIC authentication. That way IIS has the password of the user and can logon the network to issue the query. With Integrated authentication there is no password, only a token. But BASIC is inherently kind of unsafe.

2) Use anonymous authentication and a domain account for anonymous. You lose security, though. The domain account can hop on the network whereas the default IIS anonymous account is local and can't.

3) Enable delegation in Active Directory and use that. Most people don't like this option because it allows some of the security holes mentioned above.

In short, there is no great solution. Allowing any kind of scenario to work will open up security problems -- you need to decide which risks are acceptable.