Blog from August, 2023

Deprecation of support for Index User credentials in Sharepoint Online and OneDrive connections
Michał Gawlas posted on Aug 17, 2023

Background

In of July 2023, we have began observing issues with Sharepoint Online Document and User Profile connections and OneDrive for Business connections that were configured to use an Index User rather than an Azure Application.

Any attempts to authenticate with Index User credentials were being rejected on Microsoft side with status code HTTP 401 Unauthorized and the response included a header with the following contents: X-MSDAVEXT_Error=917656;Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically

This appears to be due to a change on the Sharepoint side, changing the setting Apps that don't use modern authentication to Block access by default, potentially for all tenants.

While at this time it is possible to revert the change, it is understood that Microsoft intends to deprecate support for apps that do not use Modern Authentication and this change would be the first step of that process, analogous to several deprecations that preceded it.

Consequently, we have decided to begin deprecating support for Index User credentials for these types of connections in the Sharepoint connector.

If I was notified about this by Ayfie, does that mean I am affected?

No. The notification was sent to all active customers, as the Sharepoint connector is a default part of each Locator license.

Consequently, outside of installations deployed by Ayfie Professional Services Team, we cannot know who is actively using this connector, much less whether they use them with Online or On-Premises sources

How to determine if I am affected?

  • If your environment contains any of: Sharepoint Online Document or User Profile or OneDrive for Business:

    • You may be affected

    • Otherwise, you are not affected

  • If any of these connections have not been configured to Use Application instead of index user

    • You are affected

    • Otherwise, you are not affected

What is the impact of this issue for my existing Locator/Supervisor environment?

  • Locator search will continue to work

  • The Sharepoint connector will stop discovering, indexing or updating documents from affected sources unless changes are made to configuration either in Locator or in Sharepoint Online

What is the impact of the deprecation on the Locator side?

  • The option to use Index User credentials will continue to be available for the foreseeable future

  • This option will eventually be removed completely, exact date to be announced later

  • Any newly created Sharepoint Online and OneDrive connections should be be created with Application credentials

What do I need to do?

Reconfigure the connections to use Application credentials

For each Sharepoint Online or OneDrive connection:

  • Edit the connection in the Management Console

  • Navigate to the Sharepoint Online Connection tab

  • Enable the Use application instead of Index User option

  • Replace the Index User credentials with an Application ID and Application Secret

Regarding the required set-up on the Sharepoint side, please refer to the Knowledge Base for Locator 4.x and newer: Microsoft SharePoint Connector Data Sheet

Temporary solution: change security settings in Sharepoint

This should be considered a temporary workaround only.

  • Navigate to https://<your tenant>-admin.sharepoint.com

  • Log in with an account with Sharepoint Admin permissions

  • Navigate to PoliciesAccess Control -> Apps that don't use modern authentication

  • Change the setting to Allow Access and click Save

Do I need to update Locator and/or Supervisor?

Possibly.

  • Ensure that your installation of Locator / ViaWorks is updated to version 2.11 or newer. The versions of Sharepoint connector that supports using an application instead of Index User was only available for 2.10 and 2.11, and all versions prior to 2.11 have been declared End of Life

  • Any installations of Locator 4.x and newer will automatically update Locator upon restarting the Saga platform - please refer to Ayfie Locator Installation Guide for details

  • Please note that if you update your Locator installation from an earlier major version, all installed connectors should be updated and all connections edited and resaved to ensure correct functioning.

Do I need to update the Sharepoint connector?

  • If you are using Locator 2.11, ensure your Sharepoint connector is updated to version 2.9.7 or newer. Please refer to Connector Feed for more information how to update connectors in Locator 2.11

  • Any installations of Locator 4.x and newer will automatically update the installed connectors upon restarting the Saga platform - please refer to Ayfie Locator Installation Guide for details

Content Handler hotfix for expiring SSL certificate - FAQ (July 2024)
Michał Gawlas posted on Aug 14, 2023

Why was I informed that I need to update Content Handler?

The notification was sent out because previous releases of the Locator 5.x Content Handler we publish have shipped with an SSL certificate that expires July 29th, 2024.

An updated version of Content Handler has been released with a new certificate that will last until May 18th, 2025.

What is the Content Handler?

Content Handler is a user-side extension (installed on end-user machines, i.e. workstations) that allows users of your Locator 4.x and newer installation to open documents in native applications on their workstation directly from the search results page if those documents came from one of the following supported data sources: Alfresco, Domino, EdocsDM, Exchange (on-premises version only, ), Fileserver, LoboDMS, Worksite.

You can find out more about the Content Handler in the Ayfie Locator Installation Guide and Ayfie Locator Architectural Overview

What is the Document Handler?

Document Handler was an extension analogous to Content Handler, but used with Locator 2.x . The two extensions are not cross-compatible and should not be installed concurrently on the user’s system.

If I have received the notification, does it mean my users are affected?

No. The notification was sent to all active customers, as the Content Handler does not require a separate license and any customer could be using it - we have no way to determine this on our side.

Content Handler: How to determine if my users are affected?

  • Are you using the ContentHandler in your organization?

    • If no, then your users are not affected

    • If yes, then your users are affected

Do I need to update Locator and/or Supervisor?

Maybe.

If you are still using Locator 4.x, you will first need to migrate to Locator 5.x according to the migration procedure documented in Ayfie Locator Installation Guide.

If you are using Locator 5.x with the multi-user version of Content Handler and deploying it through group policy, updating Locator is not needed.

If you are using Locator 5.x with the single-user version of Content Handler and let the users install it themselves, they can only obtain it through a download link in the Locator 5.x UI. You will need to restart your Locator installation for it to update automatically (Ayfie Locator Installation Guide under “Starting and Stopping”) and serve the correct download.

Upgrade Instructions

Single-user version of Content Handler can be installed by the users themselves, provided you supply them with the correct installer.

Rollouts of the multi-user version of Content Handler should be handled by your IT.

Content Handler (Multi-User)

The download link and instructions to roll out the multi-user version of Content Handler are available under the “Content Handler” section of Ayfie Locator Installation Guide

What is the impact of an outdated Content Handler certificate?

  • Locator search will continue to work

  • Opening documents that are viewed through the web browser (e.g. Sharepoint Online) will continue to work

  • Downloading documents will continue to work

  • Document previews will continue to work

Content Handler

The Content Handler installation check (ran from the Locator 4.x/5.x Search UI) does not persists its' result.

  • Content Handler will not work and Locator will behave as if it is not installed

How to override the installation check?

There is no option to override the installation check for Content Handler.

A note on upgrading the Content Handler

While installing the new version over an already installed previous one will work, certain Registry entries relating to the previous version of Content Handler will remain, causing both to appear in the Add/Remove Programs dialog. This can be avoided by uninstalling the old version before installing the new one.
This has been reviewed by the development team and determined to be a non-critical cosmetic issue that should not take priority over making the fixed Content Handler available to customers.

Customize the Default Request Handler
Steinar Skjerven posted on Aug 01, 2023

Introduction

Saga comes with a Solr configuration well suited for most enterprise search scenarios. However, some cases may require changes to the /select request handler in solrconfig.xml. This is done by using the Solr Config API to create the file configoverlay.json with the changes.

How to Customize the Default Request Handler

  1. Obtain the default /select request handler to use as a template for the custom /select request handler.

    1. Start Saga

    2. Go to http://localhost/solr/Main/config/requestHandler in the browser. This will list all request handlers.

    3. Find the /select request handler in the response. It will be required in step 3.

  2. Store the following to a file named update.json:

    {
  "update-requesthandler": {
  }
}

  3. Copy the /select request handler from step 1 and place it inside the "update-requesthandler" section in update.json.

  4. The update.json file will look something like we see below. Please note that … in line 7 represents most of the not shown content of the /select request handler.

    {
  "update-requesthandler": {
    "name":"/select",
    "class":"solr.SearchHandler",
    "defaults":{
      "echoParams":"explicit",
      ...
      "rows":10
    },
    "appends":{"fq":["platform_is_container:0","custom_field:0","{!sidvalidate}"]},
    "last-components":["elevator","suggest"]
  }
}

  5. Customize the /select request handler as required. See Solr Request Handlers and Search Components for details.

  6. Open Command Prompt, cd to the directory that contains update.json and run the following command (requires that curl is installed) :
    curl -X POST -H 'Content-type:application/json' --data-binary @update.json http://localhost/solr/Main/config

  7. The updated /select request handler will be automatically be active (no need to reload). It’s persisted in ZooKeeper:

  8. If one wants to revert back to the default /select request handler, one can store the following in a file named delete.json and run curl -X POST -H 'Content-type:application/json' --data-binary @delete.json http://localhost/solr/Main/config

    {
    "delete-requesthandler": "/select"
}