I received an email from an ex-student today that forced me to remember how to send an authenticated query to the QRServer in FAST Search for SharePoint.
The reason for doing this is that when you issue a query through the SharePoint UI, additional security parameters are sent to FAST along with the query. But when you go directly against the QRServer interface (accessible through http://localhost:13280 directly in the server running the query component in the FAST farm), the queries typed in there are sent without any security parameters by default, which means you will not get back any results that require security permissions (such as all your crawled SharePoint content, for example).
I’ve sent instructions to students on how to get authenticated results from the QRServer many times in the past, and even commented about it in this post here, but I just realized I never posted this here on the blog, so I’m doing it now to make this information easier to be found.
Below are the steps to get secure results through the QRServer without having to modify qtf-config.xml (which is something advisable):
Note: you will need to perform the steps below in a query server in your FAST farm
- Edit %FASTSEARCH%\components\sam\worker\user_config.xml
- Change:
<add name=”AllowNonCleanUpClaimsCacheForTestingOnly” value=”false” type=”System.Boolean” />To:
<add name=”AllowNonCleanUpClaimsCacheForTestingOnly” value=”true” type=”System.Boolean” /> - To pick up your changes, open a command prompt window and restart the samworker
nctrl restart samworker - Make sure the samworker is running. If it is not running, check your previous edits.
nctrl status - Execute a query through a search center in SharePoint and ensure results are returned. You will use the security credentials from this query to get secure results from the QRServer.
- Navigate to %FASTSEARCH%\var\log\querylogs and open your latest query log (if the file is locked; make a copy of the file and open the copy).
- Locate and copy this parameter: &qtf_securityfql:uid=<token>= (the trailing equal sign should be included)
- Navigate to the qrserver page: http://localhost:13280/
- In the additional parameters text box add:
&qtf_securityfql:uid=<token>= - Issue a query and ensure you get secure results back.
Another way to also get authenticated results (from outside the SharePoint UI) without having to make any modifications in your system, is to use the terrific FAST Search for SharePoint 2010 Query Logger tool created by Mikael Svenson.
Enjoy! 
Any idea how Mikael’s tool achieves the same result without modifying the SAM configuration? Does it do something with the claims cache?
If I’m not mistaken, Mikael’s tool (FAST Search for SharePoint 2010 Query Logger) achieves that by monitoring the FS4SP query logs and re-executing queries as soon as they come through, passing exactly the same HTTP request to the QRServer (which has the security credentials) and leveraging the claims cache as you mentioned.
Hi,
As Leo says it monitors the query and re-executes it. Each claim is valid for 10 seconds (or 15) so you can re-use it within that time frame.
The tool takes advantage of this, thus preventing modifying any configuration files as it re-executes the query well within the validity time frame of the claims token.
Brilliant, thanks for the explanation, I’ve long been mystified by the query monitor tool
Leo, do you know how the claims cache works, I mean, what communication is happening between the SSA and the qr server that is not happening when we call the qr server directly?
I sincerely have no idea, Matt. :-/
Maybe Mikael could have some additional info on that.
The light finally came on for me… in ESP the fql_security parameter in the query was a simple encoding of the user name, but now in FS4SP it’s an encrypted claim.
Sorry, had the parameter name all mixed up, it’s qtf_securityfql. This powerpoint has a few slides that helped me understand:
http://www.sharepointsummitistanbul.com/Presentations/Day1_1650-1740_Geneva_Beyond%2520the%2520Basics%2520-%2520An%2520Advanced%2520Conversation%2520on%2520FAST%2520Search%2520for%2520SharePoint%25202010_Berkay_Mese.pptx
Any idead how to form the secruity parameter in the code, &qtf_securityfql:uid== ?
To add a refiner parameter (&r=format%3d%22AQlBZG9iZSBQREYGZm9ybWF0AQJeIgIiJA%3d%3d%22) we can use
keywordQuery.RefinementFilters.Add(RPart)// to add refiner
But how do we from the &qtf_securityfql:uid== using API?
Thanks for the post BTW.
Hi freddie!
What is the scenario where you need to construct this security token yourself?
I ask this because when you are using any of the supported APIs (Query Object Model, Query Web Service, etc.) you shouldn’t need to pass this special parameter, as the ootb configuration between SP and FS4SP should handle that for you automatically.
This is only needed when you are trying to talk *directly* with the QRServer on the FAST Search server, which you should only do for debugging purposes, as this is not a supported query interface.
In the case of debugging, my suggestion is the one I highlight in the post. Execute a query with the user you want, then go to the query logs and find the proper qtf_securityfql:uid for that user.
I hope this helps you, but if it doesn’t, please let me know more about what you are trying to achieve and I will do my best to help
Best,
Leo