Tuesday, July 28, 2009

Msoft AddRule example is Incorrect

I could not find a mention anywhere that with SP1 you still need to use Addrule.exe for Forms based authentication crawls. I have hunted and hunted to verify, but yes, Virginia, it appears you still do need to still use Addrule.exe with its XML.

(Don't know what I am talking about -check it out here --> http://technet.microsoft.com/en-us/library/bb852172.aspx)

Incidently - this whole mess with not being able to crawl FBA sites and having to create a specific trimmer is another point demonstrating how it appears that Microsoft's inclusion of the "internet facing site" FBA site in MOSS was an afterthought.

Suffice to say, not merely is there no documentation pointing out that you STILL NEED TO USE ADDRULE, but the sample XML is wrong.

Here is the INCORRECT XML sample

<rules>
  <rule>
    <path>http://YourFormsAuthSite/*</path>
    <type>FORM</type>
    <error_pages>
      <error_page>Logon.aspx</error_page>
    </error_pages>
    <auth_url>Logon.aspx</auth_url>
    <login_type>POST</login_type>
    <parameters>
      <param name="__VIEWSTATE">dDw0OTQzMjI0MjQ7O2w8UGVyc2lzdDs%2BPvhWhKKTnHpM3RIvgkgC9jJVpN%2Bg</param>
      <param name="Login1%24UserName">FormsAuthUserName</param>
      <param name="Login1%24LoginButton">FormsAuthPassword</param>
      <param name="Login1%24LoginButton">Log+In</param>
    </parameters>
  </rule>
</rules>

Here is a CORRECT XML sample

<rules ssp="SharedServices for MyServer">
<rule>
<path>http://www.myserver.com/*</path>
<type>FORMS</type>
<auth_url>http://www.myserver.com/_layouts/login.aspx?ReturnUrl=/</auth_url>
<login_type>POST</login_type>
<error_pages>
<error_page>login.aspx</error_page>
</error_pages>
<parameters>
<param public="true" name="__VIEWSTATE">%2FwEPDwUKMTc0NDQ2ODkFgJmD2QWAmYYCAgMPZBYCAjU

PZBYCAgEPZBYCZg9kFgICDQ8QDxYCHgdDaGVja2VkaGRkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja

0tleV9fFgEFJmN0bDAwJFBsYWNlSG9sZGVyTWFpbiRsb2dpbiRSZW1lbWJlck1lYuMscsbPMGpHkju7j4uv5Gv%2BR

ds%3D</param>
   <param public="true" name="ctl00%24PlaceHolderMain%24login%24UserName">myFBASearcherName</param>
   <param public="true" name="ctl00%24PlaceHolderMain%24login%24password">myFBASearcherAccount</param>
   <param public="true" name="ctl00%24PlaceHolderMain%24login%24login">Sign+In</param>
   <param public="true" name="__EVENTVALIDATION">%2FwEWBQLxxc7nDwLE96mtBQLLtsPBAgLkkP7MCgK%2FlZyy

Bxv%sdf2B3qFhTCz8CUMXQiMVw</param>
</parameters>
</rule>
</rules>

What are the differences?

They have incorrect fieldnames (missing the Placeholders) and note the repetition of LoginButton for the Password portion of the XML demo. Obviously someone simply cut and pasted sections rather than pasting a complete, correct, XML
They do not have __EventValidation. Testing this with Fiddler emphasized the need for that
They do not have public="true" in their params which can be useful - public: If this value is not present, the parameter specified will be encrypted and stored in the search system. For encrypted parameters, the size limit is 1,024 characters. If you specify public = "true", the parameter will not be encrypted before storing in the search system. Also, the parameters size limit increases to 4,096 characters.

Other Caveats

Make sure the entries on both sides of the params are htmlencoded - use http://meyerweb.com/eric/tools/dencoder/ if you need help...
Remember that this DOES NOT do security trimming. You still need to setup an FBA security trimmer - see http://technet.microsoft.com/en-us/library/bb852172.aspx#moss12_SearchFormsAuth_ImplementSecurityTrimmer for info on that...

Sharepoint 2007

Comments [0] | Trackback

Comments are closed.

Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.