Looking for sample codes with SP search with server-side object model

Question

Greetings,

I have searched on the net in hope to find some sample codes how to use the SP server-side object model to query a search.  There are 3 sets of API that are available (http://msdn.microsoft.com/en-us/library/hh313619.aspx).  However, server-side object model is the only choice we have to go with.  

On the net, I can find some sample codes how to retrieve the list of items (http://msdn.microsoft.com/en-us/library/ff798298.aspx) and so on using SP server-side object model, but never found a sample codes on how to query the search.  

Would anyone direct me to the right article, an URL or provide me sample codes how to do so?   

Much appreciated and thank you.

Environment:

1.  SharePoint 2010 with FAST Search

2.  Windows 2008 (64bit) with IIS 7.0

Answer 1

Hi John,

SharePoint Enterprise Search in Microsoft SharePoint Server 2010 provides two object models you can use customize the search query experience:

• Federated Search Object Model
With the Federated Search object model, you can bring results together from multiple search engines or repositories. You can use the federated search object model to query against SharePoint Server search, FAST Search Server 2010 for SharePoint, OpenSearch locations, and custom runtimes. The search result Web Parts in SharePoint Enterprise Search are built on top of the federated search object model.
• Query Object Model
In Enterprise Search in Microsoft Office SharePoint Server 2007, you used the query object model to create custom search Web Parts and search applications. SharePoint Server 2010 provides an updated version of this object model. You can use the query object model to query against SharePoint Server search and FAST Search Server 2010 for SharePoint. When you return results from SharePoint Server search and FAST Search Server 2010 for SharePoint using the federated search object model, the query object model is actually being called from the federated search object model.

Here are some links include sample codes, please refer to them:
http://msdn.microsoft.com/en-us/library/ee558338.aspx
http://social.technet.microsoft.com/Forums/en-US/fastsharepoint/thread/68aa1a57-fb32-4f27-934a-59c5e3977f46/
http://msdn.microsoft.com/en-us/library/gg984547.aspx

Thanks,
Lhan Han

Answer 2

Awesome links, Han.  Thank you...

The follow up question would be.   I know these two server-side APIs you mentioned above must be resided in the same SP server or the same farm to work.  There is Query Web Service API we can use OUTSIDE the SP server.  I created a web-based app to consume the Query Web Service (QWS) as follow:

		SearchProxy.QueryService queryService = new SearchProxy.QueryService();
                // Use the credentials of the user running the client application: 
                queryService.Credentials = System.Net.CredentialCache.DefaultCredentials;

                // Run the QueryEx method, returning the results to a DataSet:
                System.Data.DataSet queryResults = queryService.QueryEx(GetXMLString());

As you can see, the DefaultCredentials line is using the current logged-in user authentication and send along to QWS in order to obtain the right data return.   This block of codes works perfectly in my localhost (local machine) but when deployed to the web server (outside the SP farm), it fails with 401 permission denied error.  Is there a way to obtain the user's credential automatically when executing the query WITHOUT letting the user enter username/password manually?

I have searched the net for days and have not been able to confirm the possibility of doing so.  

Would you help, Han?  

Pls accept my sincere thank.

John.

Answer 3

John,

After you deployed your code to a web server, it is using the web server's running credential. Apparently your web server is running as a user that does not have permissions to do a search on your sharepoint server.

You can either grant the web server user access to your sharepoint server, or change your code to use a static network credential when connecting to sharepoint server. I would recommend the latter approach.

Hope this helps.

Answer 4

John,

After you deployed your code to a web server, it is using the web server's running credential. Apparently your web server is running as a user that does not have permissions to do a search on your sharepoint server.

You can either grant the web server user access to your sharepoint server, or change your code to use a static network credential when connecting to sharepoint server. I would recommend the latter approach.

Hope this helps.

Thanks for your reply.  I completely understand the scenario with double-hop authentication.  Providing the static credential (provide the form to obtain username/password from users) would not be an option in our case like I said in my previous message.  

I am not so sure how you refer to as "You can either grant the web server user access to your sharepoint server".  Are you referring to Kerberos protocol?  

Thanks

John.

Answer 5

When I say static credential, I mean hard code the credential on the web server, so all users will use the same credential to do the search.

When I say "grant the web server user access to your sharepoint server", I mean you always use the web server's credential to do the search, but you need to give the web server's credential permissions to do the search. But normaly you always run IIS as a local system account, so this is not an option at all.

If you want to use the logged on user's credential for the search, I think you can impersonate your search on the web server, something like this:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo();

Answer 6

When I say static credential, I mean hard code the credential on the web server, so all users will use the same credential to do the search.

When I say "grant the web server user access to your sharepoint server", I mean you always use the web server's credential to do the search, but you need to give the web server's credential permissions to do the search. But normaly you always run IIS as a local system account, so this is not an option at all.

If you want to use the logged on user's credential for the search, I think you can impersonate your search on the web server, something like this:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo();

Hi Mike,

Using static credential is definitely not an option.  The search crawls all file shares with permission settings, so each user has different security/permission on each folder/file.

That is the sole reason we want to capture current logged-in user's identity so the search results will be filtered accordingly to their permission setting.

Thanks

John.

Answer 7

Oh, I had a privilege to have a conversation with Mikael Svensson.  (He is the co-author of the book:  Working with Microsoft® FAST™ Search Server 2010 for SharePoint®).  He confirmed with me that it is not possible for double hops in my scenario.   Only option would be using Kerberos.  

Side note:  I like his book.  The content is clear, simple and well presented.  It would be super nice if he writes one more section on security (like my question issue...) :)

Recommended this book.

Thanks