How to get authenticated/secure results through the QRServer in FAST Search for SharePoint

I received an email from an ex-student today that forced me to remember how to send an authenticated query to the QRServer in FAST Search for SharePoint.

The reason for doing this is that when you issue a query through the SharePoint UI, additional security parameters are sent to FAST along with the query. But when you go directly against the QRServer interface (accessible through http://localhost:13280 directly in the server running the query component in the FAST farm), the queries typed in there are sent without any security parameters by default, which means you will not get back any results that require security permissions (such as all your crawled SharePoint content, for example).

I’ve sent instructions to students on how to get authenticated results from the QRServer many times in the past, and even commented about it in this post here, but I just realized I never posted this here on the blog, so I’m doing it now to make this information easier to be found.

Below are the steps to get secure results through the QRServer without having to modify qtf-config.xml (which is something advisable):

Note: you will need to perform the steps below in a query server in your FAST farm

  1. Edit %FASTSEARCH%\components\sam\worker\user_config.xml
  2. Change:
    <add name=”AllowNonCleanUpClaimsCacheForTestingOnly” value=”false” type=”System.Boolean” />To:
    <add name=”AllowNonCleanUpClaimsCacheForTestingOnly” value=”true” type=”System.Boolean” />
  3. To pick up your changes, open a command prompt window and restart the samworker
    nctrl restart samworker
  4. Make sure the samworker is running. If it is not running, check your previous edits.
    nctrl status
  5. Execute a query through a search center in SharePoint and ensure results are returned. You will use the security credentials from this query to get secure results from the QRServer.
  6. Navigate to %FASTSEARCH%\var\log\querylogs and open your latest query log (if the file is locked; make a copy of the file and open the copy).
  7. Locate and copy this parameter: &qtf_securityfql:uid=<token>= (the trailing equal sign should be included)
  8. Navigate to the qrserver page: http://localhost:13280/
  9. In the additional parameters text box add:
  10. Issue a query and ensure you get secure results back.

Another way to also get authenticated results (from outside the SharePoint UI) without having to make any modifications in your system, is to use the terrific FAST Search for SharePoint 2010 Query Logger tool created by Mikael Svenson.

Enjoy! 🙂


About leonardocsouza

Mix together a passion for social media, search, recommendations, books, writing, movies, education, knowledge sharing plus a few other things and you get me as result :)
This entry was posted in FS4SP and tagged . Bookmark the permalink.

10 Responses to How to get authenticated/secure results through the QRServer in FAST Search for SharePoint

  1. Matt says:

    Any idea how Mikael’s tool achieves the same result without modifying the SAM configuration? Does it do something with the claims cache?

  2. Hi,
    As Leo says it monitors the query and re-executes it. Each claim is valid for 10 seconds (or 15) so you can re-use it within that time frame.

    The tool takes advantage of this, thus preventing modifying any configuration files as it re-executes the query well within the validity time frame of the claims token.

  3. Matt says:

    Leo, do you know how the claims cache works, I mean, what communication is happening between the SSA and the qr server that is not happening when we call the qr server directly?

  4. Matt says:

    The light finally came on for me… in ESP the fql_security parameter in the query was a simple encoding of the user name, but now in FS4SP it’s an encrypted claim.

  5. freddiemaize says:

    Any idead how to form the secruity parameter in the code, &qtf_securityfql:uid== ?
    To add a refiner parameter (&r=format%3d%22AQlBZG9iZSBQREYGZm9ybWF0AQJeIgIiJA%3d%3d%22) we can use
    keywordQuery.RefinementFilters.Add(RPart)// to add refiner
    But how do we from the &qtf_securityfql:uid== using API?

    Thanks for the post BTW.

    • Hi freddie!

      What is the scenario where you need to construct this security token yourself?

      I ask this because when you are using any of the supported APIs (Query Object Model, Query Web Service, etc.) you shouldn’t need to pass this special parameter, as the ootb configuration between SP and FS4SP should handle that for you automatically.

      This is only needed when you are trying to talk *directly* with the QRServer on the FAST Search server, which you should only do for debugging purposes, as this is not a supported query interface.

      In the case of debugging, my suggestion is the one I highlight in the post. Execute a query with the user you want, then go to the query logs and find the proper qtf_securityfql:uid for that user.

      I hope this helps you, but if it doesn’t, please let me know more about what you are trying to achieve and I will do my best to help 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s