Constrains On Setting Up Cloud SSA

  • Article

A couple of gotchas I have encountered during setting up Cloud SSA (or Cloud Search Service Application, you can find out more about it at Learn about cloud hybrid search for SharePoint):

  1. On on-premises SharePoint side, only Integrated Windows Authentication (either NTLM or Kerberos) is supported. ADFS or other SAML based trusted identity providers would not work. Yes, you can still set up Cloud SSA on a web application, for example, using ADFS authentication. The Cloud SSA configuration will run through but users, both online and on-premises, will not be able to get desired search results on either online or on-premises content: all content secured using ADFS identities would be trimmed off.
  2. On-premises user accounts must be sync'd to AAD to be able to use Cloud SSA. If an on-premises use's identity is not sync'd to Office 365 AAD, search engine will return "Sorry, something went wrong" message, and if you drill-down to the detail, it looks something like this:

System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute() at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate() at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest() at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery() at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.RetrieveDataFromRemoteServer(Object unused) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at Microsoft.Office.Server.Search.RemoteSharepoint.RemoteSharepointEvaluator.RemoteSharepointProducer.ProcessRecordCore(IRecord record)

Correlation ID: c662de9d-434f-00ec-d613-50b7ebedcef3

The above behaviors are confirmed with SharePoint 2016 and Office 365 product team. The PG does not have a timeline to "fix" the #1 issue and for issue #2 it actually makes sense for Cloud SSA to act that way.

Dr. Z