Configuring crawl and serve for kerberos, Configuring crawl and serve over https, Provider interface – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

11

•

The Crawl and Index process for content that uses HTTP Basic and NTLM HTTP is controlled by
parameters under Crawl and Index > Crawler Access. To learn more about setting up crawl for
HTTP Basic and NTLM HTTP, click Help Center > Crawl and Index > Crawler Access in the Admin
Console.

•

If you are using HTTP, Google recommends that you use HTTPS for all requests for controlled-
access content because HTTP Basic passes user credentials as clear text. To force the search
appliance to perform crawl, index, and serve over HTTPS, see “Protecting the User’s Credentials for
Serve with HTTP Basic and NTLM HTTP” on page 36.

Configuring Crawl for the SAML Authentication and
Authorization Service Provider Interface

Before using the Authentication and Authorization SPI, you must configure the appliance to crawl and
index some secure controlled-access content. The SPIs are only used when a user queries for secure
results. For content protected by the Authentication and Authorization Service Provider Interface, you
can crawl secure content through HTTP Basic, NTLM HTTP, or with Forms Authentication:

•

Make sure that you have defined some patterns for crawling your controlled-access content under
Crawl and Index > Crawl URLs.

•

For content that requires HTTP Basic Authentication or NTLM HTTP credentials, set up the crawl
under Crawl and Index > Crawler Access and clear the Make Public checkbox for at least one URL
pattern.

•

For content that requires a Forms Authentication rule to authenticate using a single sign-on (SSO)
server, set up the crawl under Crawl and Index > Forms Authentication and clear the Make
Public checkbox for at least one URL pattern.

Configuring Crawl and Serve for Kerberos

The search appliance supports Integrated Windows Authentication/Kerberos authentication for both
crawling and serving controlled-access content. Before you can configure Kerberos crawling, the search
appliance must be configured to use Kerberos authentication at serve time. For information about
configuring Kerberos-based authentication for serve, see “Kerberos-Based Authentication” on page 25.

After Kerberos-based authentication for serve is configured, you can enable Kerberos crawling by using
the Crawl and Index > Crawler Access page. For more information about enabling Kerberos crawling,
click Help Center > Crawl and Index > Crawler Access in the Admin Console.

Configuring Crawl and Serve Over HTTPS

The search appliance uses digital certificates when communicating with web browsers and servers over
HTTPS. The search appliance also supports the use of digital certificates to perform X.509 certificate
authentication to verify a user’s identity before serving secure results, as described in “Client Certificate-
Based Authentication” on page 24.

To use HTTPS for all requests for controlled-access content, configure the search appliance to enable
certificate use. The digital certificate for the search appliance must be recognized by other servers, and
the certificate authorities for all HTTPS-secured sites must be valid (that is, must not be out of date and
must be for the designated server name).