Coveo Platform7.0 - Microsoft SharePoint Connector Guidedownload.coveo.com/onlinehelppdfs/CES70-Microsoft... · 2019-01-07 · CoveoPlatform7.0|MicrosoftSharePointConnectorGuide 14.1ModifyingHiddenMicrosoftSharePointSourceParameters

Coveo Platform 7.0

Microsoft SharePoint Connector Guide

Coveo Platform 7.0 | Microsoft SharePoint Connector Guide

Notice

The content in this document represents the current view of Coveo as of the date of publication. Because Coveocontinually responds to changing market conditions, information in this document is subject to change withoutnotice. For the latest documentation, visit our website at www.coveo.com.

© Coveo Solutions Inc., 2014

Coveo is a trademark of Coveo Solutions Inc. This document is protected by intellectual property laws and issubject to all restrictions specified in the Coveo Customer Agreement.

Document part number: PM-140717-EN

Publication date: 1/3/2019

4www.coveo.com ii

http://www.coveo.com/



Table of Contents

1. Microsoft SharePoint Connector 1

1.1 Comparison With the Legacy Connector 1

1.2 Connector Features Summary 2

1.3 Features 2

2. Microsoft SharePoint Source Quick Setups 6

2.1 SharePoint 2016/2013/2010 On-Premises (Windows Classic) [AD] Source Quick Setup 6

2.2 SharePoint 2016/2013/2010 On-Premises (Windows Under Claims) [Claims] Source Quick Setup 8

2.3 SharePoint 2016/2013/2010 On-Premises (ADFS Under Claims) [Claims] Source Quick Setup 11

2.4 SharePoint Online (Native) [Claims] Source Quick Setup 15

2.5 SharePoint Online (ADFS SSO) [Claims] Source Quick Setup 18

2.6 SharePoint Online (Okta SSO) [Claims] Source Quick Setup 21

2.7 SharePoint Online (Federated - Okta) [Email] Source Quick Setup 25

2.8 SharePoint Online (Federated - ADFS) [Email] Source Quick Setup 29

2.9 SharePoint Online (Native) [Email] Source Quick Setup 32

3. Microsoft SharePoint Connector Deployment Overview 36

4. Listing User Profiles With a SharePoint Search Service Application 40

5. Granting SharePoint Permissions to the Crawling Account 42

5.1 Automatic Permissions Setup 42

5.2 Manual Permissions Setup 42

5.3 Adding the Full Read Policy to All SharePoint Farm Web Applications 44

5.3.1 Microsoft SharePoint 2013 or 2010 44

5.3.2 Microsoft SharePoint 2007 45

5.4 Adding the SharePoint Website Read Permission 46

5.4.1 Microsoft SharePoint 2013 or 2010 46


5.5 Adding the Retrieve People Data for Search Crawlers Permission to the User Profile ServiceApplication 48

5.6 Adding the Manage User Profiles Permission in Shared Service Rights 50

5.7 Adding the Crawling Account to the SharePoint Farm Administrators Group 51


4www.coveo.com iii





5.8 Adding the Crawling Account to the SharePoint Server Local Administrators Group 54

5.9 Granting the Site Collection Administrator Permission in SharePoint Online 55

5.10 Adding the Personal Sites Collections Owner Permissions for SharePoint Online 56

6. Installing the CoveoWeb Service, Search Box, and Search Interface into SharePoint 61

6.1 Activating or Deactivating the Coveo .NET Search Box in a SharePoint Site 67

6.2 Adding the Microsoft SQL Server System Administrators Role 69

6.2.1 Microsoft SQL Server 2008 and 2005 69

6.2.2 Microsoft SQL Server 2000 70

6.3 Adding the Database Owner Role for Microsoft SQL Server 71

6.3.1 Microsoft SQL Server 2008/2005 71

6.3.2 Microsoft SQL Server 2000 73

6.4 Coveo .NET Front-End First Time Setup 74

7. Creating a Claims Security Provider for an On-Premises SharePoint 84

7.1 Finding the Enabled Claims Authentication Type for a SharePoint Web Application 88

7.2 Finding and Enabling the ADFS Service Endpoint URL Path 88

8. Creating a Claims Security Provider for SharePoint Online 89

8.1 ADFS Server Requirements for a Claims Security Provider 92

8.2 Finding Your Office 365 Native Domain Name 93

8.3 Finding the Relying Party Trust Identifier for a SharePoint Web Application 93

8.4 Finding the Relying Party Trust Identifier for a SharePoint ADFS server 94

9. Creating a Claims to Email Security Provider for SharePoint Online 96

9.1 Configuring an Email Security Provider 98

10. Installing the Windows Azure AD Module for Windows PowerShell 101

11. Creating an Office 365 Security Provider for SharePoint Online 102

12. Creating a SharePoint Security Provider 105

13. Creating and Using a Custom SharePoint Mapping File 111

13.1 Standard Mapping File Schema 113

13.2 Determining the Name of a SharePoint Metadata Tag 119

14. Configuring and Indexing a Microsoft SharePoint Source 120

4www.coveo.com iv



14.1 Modifying Hidden Microsoft SharePoint Source Parameters 127

14.1.1 ADFS Related Parameters 127

14.1.2 Other Parameters 128

14.2 Finding the Assembly Type of a SharePoint Web Part 132

14.3 Adding an Explicit Connector Parameter 133

15. Configuring a .NET Search Interface Claims SSO 137

16. Manually Configuring a .NET Search Interface Claims SSO for an On-Premises SharePoint 143

16.1 SharePoint Server Configuration 144

16.2 Coveo .NET Front-End Server Configuration 146

17. Configuring the Claims-Aware Coveo Search Application 149

17.1 Step 1: Enabling Claims Authentication on the Coveo Search Site 149

17.2 Step 2: Creating the Coveo Relying Party Trust 151

17.3 Step 3: Editing Claims Rules for the Coveo Relying Party Trust 151

17.4 Step 4: Editing Claims Rules for the SharePoint Relying Party Trust 152

17.5 Step 5: Configuring the Coveo Service Account for ADFS Identity Delegation 152

17.6 Step 6: Performing the First-Time Setup on the Coveo Search Site 153

18. Configuring SharePoint Search Scopes 154

19. Integrating the Coveo .NET Search Box in My Site for SharePoint 2013 and 2016 159

4www.coveo.com v


4www.coveo.com vi




1. Microsoft SharePoint ConnectorCES 7.0.6767+ (June 2014)

The second generation Coveo connector for Microsoft SharePoint allows you to bring the information stored on oneor multiple SharePoint farms (tenants in SharePoint Online) into the unified index so that end-users can easilyaccess this content. The connector allows Coveo Enterprise Search (CES) to crawl and index a completeSharePoint farm or specific farm sections, such as Web Applications, site collections, websites, lists, and documentlibraries.

Note: The document in this section describes the second generation SharePoint connector.

CES 7.0.6830+ (July 2014) The original SharePoint connector is still available and was renamed SharePointLegacy connector.

CES 7.0.7433+ (February 2015) A tool to convert your SharePoint Legacy sources to SharePoint sources isavailable. The SharePoint Converter Tool is pretty useful when you want to take full advantage of the improvedSharePoint connector without having to recreate all your SharePoint Legacy sources. Contact Coveo Support toget the SharePoint Converter Tool.

1.1 Comparison With the Legacy ConnectorThe second generation SharePoint connector has been completely rewritten to provide similar features as theSharePoint Legacy connector with the bonus of a significantly improved crawling performance thanks to multi-threading and optimized API communications. For supported SharePoint versions, Coveo recommends to use thenew SharePoint connector to create or migrate SharePoint sources.

The following table highlights the differences between the two connectors.

Comparisonaspect

New SharePoint connector SharePoint Legacy connector

SupportedSharePointversions

Online, 2016, 2013, 2010, Foundation2013, and Foundation 2010

Online, 2013, 2010, MOSS 2007, WSS3,Foundation 2013, and Foundation 2010

Crawlingperformance

Significantly improved Good

Multi-threading Yes No

Refresh subtree Yes No

Claims formauthentication

No Yes

Unpublisheditems

Not indexed Indexed

4www.coveo.com 1


https://support.coveo.com/


1.2 Connector Features Summary

Features Supported Additional information

SharePoint version 2010, 2013,2016, Online,Foundation2010, and

Foundation 2013

Searchable contenttypes

Farms (tenants in SharePoint Online), Web applications, sitecollections, sites, user profiles*, personal websites*, lists, list items,list item attachments, document libraries, document sets,documents, Web parts1, and microblog posts and replies.

Contentupdate

Incrementalrefresh

Full refresh or rebuild is needed to retrieve deleted user profiles1.

Full refresh

Rebuild

Document-levelsecurity

* - Not available in Microsoft SharePoint Foundation.

1 - Not all Web parts are available in Microsoft SharePoint Foundation 2010 (seeOverview of Web Partsavailable in SharePoint Foundation 2010).

1.3 Featuresl Content indexing

o Indexing all SharePoint content

n Farms (tenants in SharePoint Online) and Web Applications

n Site collections, websites, and subsites

n Lists, list items, and list item attachments

Note: CES 7.0.8225+ (March 2016) SharePoint Online lists, list items, and list item attachments areindexed.

n Document libraries, documents, and document sets

n User profiles and personal websites

4www.coveo.com 2


https://support.office.com/en-us/article/Overview-of-Web-Parts-available-in-SharePoint-Foundation-2010-47795251-a542-4b53-912d-318853ed10b9



Note: User profiles and personal websites are not available in Microsoft SharePoint Foundation.

n Microblog posts and replies

n CES 7.0.7022+ (September 2014) Web Parts Pages [more]

Note: Not all Web parts are available in Microsoft SharePoint Foundation 2010 (see Overview ofWeb Parts available in SharePoint Foundation 2010).

n CES 7.0.7022+ (September 2014) Social tags [more]

o HTTP over SSL (HTTPS) support

You can use the SharePoint connector to index a SharePoint site that uses HTTPS.

l Security

The SharePoint connector supports security for SharePoint Web Applications using Classic Mode or ClaimsBased authentication.

o Classic Mode

The connector indexes permissions on SharePoint items as SharePoint groups and Windows accounts.

n When a user performs a query, returned results are only those to which his Windows account hasaccess.

n Users can perform queries from any Coveo search interface.

o Claims Based (Windows [NTLM or Kerberos], ADFS)

The connector indexes permissions on SharePoint items as SharePoint groups and Claims.

n When a user performs a query, returned results are only those with permissions that match any of theClaims assigned to the user after he is successfully authenticated in SharePoint.

n Users can perform queries from any Coveo .NET Front-End search interface:

o When searching from within SharePoint using the Coveo search box, the user is alreadyauthenticated in SharePoint and his Claims are available to the Coveo search interface. Thismeans that search queries can be performed using the Claims assigned to the user.

o Claims users can also perform searches for secured SharePoint content from Coveo searchinterfaces outside SharePoint without having to log in to the search interface when the searchinterface is configured for SSO (see "Manually Configuring a .NET Search Interface ClaimsSSO for an On-Premises SharePoint" on page 143).

n CES 7.0.9093+ (September 2017) Users can perform queries from any Coveo JavaScript searchinterface (see Coveo JavaScript Search Framework and Allowing a JavaScript Search Page toRetrieve SharePoint Claims).

l Incremental refresh

4www.coveo.com 3





Once incremental refresh is enabled on a SharePoint source, the SharePoint connector automaticallyrefreshes the content modified since the last incremental refresh run. This way, the index is always kept up todate.

Notes:

o CES 7.0.9434+ (September 2018) A change in the URI of SharePoint documents will cause anincremental refresh to add duplicate documents to your index. A full refresh (recommended) or rebuild isrequired to remove those duplicates and prevent the issue from happening again.

o CES 7.0.8541+ (September 2016) The incremental refresh takes account of added and modified userprofiles. A source full refresh or rebuild is required to update deleted user profiles.

o CES 7.0.8388– (June 2016) The incremental refresh does not take account of user profile changes.

l SharePoint Integration:

o Installation of Coveo Web Service on the SharePoint server to provide more crawling functions

o Installation of the Coveo search box to replace the SharePoint search box

o Installation of Coveo search interfaces on the SharePoint server

l Intranet and SharePoint search interface features related to the SharePoint connector:

o Search results folding for the following SharePoint items:

n Blog posts and their comments

n Discussion board threads

n Document sets and their items

o The Document Sets facet appears, listing all document sets included in the results when one or moredocument set items match the query.

o Search results referring to a document link in SharePoint are now identified with a special icon.

l CES 7.0.9272+ (March 2018) Okta single sign-on authentication is supported (see Okta Single Sign-OnProvider for SharePoint).

Note on exclusion filters

The SharePoint connector does not expand filtered items, meaning that the connector only expands and indexesitems that were not precedently excluded by a filter.

When you want to exclude a specific container but include its sub-items, you must use a script. Contact CoveoSupport for assistance.

4www.coveo.com 4





FeatureHistory

CES version Monthly release Features

7.0.9272 March 2018 Support for SharePoint on-premises SSO authentication with Okta [more]

7.0.8541 September 2016 Support for SharePoint 2016

7.0.7433 February 2015 Introduction of the SharePoint Converter Tool

7.0.7022 September 2014 Support for social tags and Web Parts Pages

7.0.6942 August 2014 l Indexing and folding for document sets

l Incremental refresh for web files and document setsl Refresh/delete a specific SharePoint section

7.0.6830 July 2014 l Support for incremental refresh

l Selectable crawling scope [more]

7.0.6767 June 2014 Introduction of this second generation SharePoint connector.

4www.coveo.com 5



2. Microsoft SharePoint Source Quick SetupsThe second generation of Coveo connector for SharePoint and the OneDrive for Business connector (CES 7.0.8047+ (December2015)) support several SharePoint versions and features as well as various authentication modes. The Coveocomponents and parameter values required to create SharePoint and OneDrive for Business sources varydepending on the SharePoint environment. The SharePoint and OneDrive for Business connectors documentationmay consequently appear somewhat complex because it addresses all aspects of numerous SharePointenvironment combinations.

The configuration of the components required to create a source for a given common SharePoint environment ishowever often simple for an administrator that is familiar with the Coveo Enterprise Search (CES) source creationprocess.

The topics in this section outline the required components and parameters to create a source for a few commonSharePoint environments. Parameters not mentioned should be left to their default values.

In the table of contents, each quick setup title gives information on the SharePoint environment and the CESsecurity configuration, helping you choosing the quick setup that best suits your needs.

Example: Online (Federated - ADFS) [Claims]

l The first part (in red) is the SharePoint deployment type/installation (either online or on-premises).

l The second part in parentheses (in blue) is the user authentication in SharePoint.

l The last part in square brackets (in green) is the user authentication in the Coveo search interface.

2.1 SharePoint 2016/2013/2010 On-Premises (Windows Classic) [AD] SourceQuick Setup

4www.coveo.com 6



1. Validate that your environment meets the requirements:

l (For SharePoint 2010 and 2013) CES 7.0.6767+ (June 2014)

OR

(For SharePoint 2016) CES 7.0.8541+ (September 2016)

OR

(For Microsoft OneDrive for Business) CES 7.0.8047+ (December 2015)

Note: You can check your CES version from the Administration Tool.

l Your Coveo license includes the Microsoft SharePoint or Microsoft OneDrive for Business connector.

2. Create a user identity with a dedicated Windows account that has access to all the SharePoint content that youwant to index.

Key parameter Value

Name You must name your user identity.

User In the domain\username or [email protected] form.

Password The corresponding password.

3. (Not for OneDrive for Business sources) On your SharePoint farm, install the Coveo web service and optionallythe search box, and search interface (see "Installing the Coveo Web Service, Search Box, and Search Interfaceinto SharePoint" on page 61).

4. Ensure that the crawling account of your user identity as appropriate permissions, the crawling account must:

l Be a member of the SharePoint farm administrators group (see "Adding the Crawling Account to theSharePoint Farm Administrators Group" on page 51)

l Have the Read permission for the site collection(s) that you want to index (see "Adding the SharePointWebsite Read Permission" on page 46).

5. Create a SharePoint security provider. [more]

Key parameter Value

Name You must name your security provider.

Security ProviderType

SharePoint

User Identity The user identity you just created.

Active DirectorySecurity Provider

The default Active Directory security provider.

4www.coveo.com 7



Key parameter Value

Security Providerfor SharePointUsers

None

SharePoint ServerUrl

The URL of the SharePoint web application where the Coveo SharePoint WebService is installed in the form http://SharePoint_server:[WebApp_port]

Authentication Type WindowsClassic

6. Create a SharePoint or OneDrive for Business source.

Key parameter SharePoint OneDrive for Business

Name You must name your source.

Source Type SharePoint (x64) OneDrive for Business

Addresses The URL for the SharePoint farm sections that youwant to index in the form https://SharePoint_

server[:port]/path, where [path] is needed onlywhen you want index a specific site collection, list, etc.

The URL for the SharePoint webapplication that you want to indexin the formhttps://SharePoint_

server:[WebApp_port].

AuthenticationType

WindowsClassic

Authentication The user identity you just created.

SecurityProvider

The SharePoint security provider you just created.

7. Rebuild the source and validate that documents are indexed.

2.2 SharePoint 2016/2013/2010 On-Premises (Windows Under Claims)[Claims] Source Quick Setup

4www.coveo.com 8





OR


OR





Key parameter Value




3. (Not for OneDrive for Business sources) On your SharePoint farm, install the Coveo web service and optionallythe search box, and search interface (see "Installing the Coveo Web Service, Search Box, and Search Interfaceinto SharePoint" on page 61).



4www.coveo.com 9




5. Create a Claims for SharePoint on-premises security provider. [more]

Key parameter Value


Security Provider Type Claims for SharePoint On-premises


SharePoint Web ApplicationUrl

The URL of the SharePoint web application using Claims-basedauthentication in the http://SharePointServer[:port]/ form.

Web Application supportsNTLM Claims Authentication

Selected

Allow Complex Identities Selected


Key parameter Value



SharePoint





The Claims for SharePoint on-premises security provider you just created.


The URL of the SharePoint web application where the Coveo SharePoint WebService is installed in the form http://SharePoint_server:[WebApp_port]

Authentication Type WindowsUnderClaims


4www.coveo.com 10






Addresses The URL for the SharePoint farm sections that youwant to index in the form https://SharePoint_

server[:port]/path, where [path] is needed onlywhen you want index a specific site collection, list, etc.

The URL for the SharePoint webapplication that you want to indexin the formhttps://SharePoint_


AuthenticationType

WindowsUnderClaims

Authentication The user identity you just created.

SecurityProvider



What'sNext?

l (For SharePoint sources only) When you provide a Coveo .NET Front-End search interface residing outsideSharePoint and want users to be able to find Claims-secured SharePoint content without having to log in againto SharePoint, configure the search interface to manage single sign-on.

l CES 7.0.9093+ (September 2017) (For SharePoint on-premises sources only) When you provide a CoveoJavaScript search interface and want to leverage SharePoint claims for content security, install the CoveoClaims Security Module, among other things (see Allowing a JavaScript Search Page to Retrieve SharePointClaims).

2.3 SharePoint 2016/2013/2010 On-Premises (ADFS Under Claims) [Claims]Source Quick Setup

4www.coveo.com 11





OR


OR




l Your ADFS setup meets Coveo requirements. [more]


Key parameter Value




4www.coveo.com 12



a. (Not for OneDrive for Business sources) On your SharePoint farm, install the Coveo web service andoptionally the search box, and search interface (see "Installing the Coveo Web Service, Search Box, andSearch Interface into SharePoint" on page 61).




4. Create a Claims for an on-premises SharePoint security provider. [more]

Key parameter Value


SecurityProvider Type

Claims for SharePoint On-premises

User Identity When you want to use a Claims-aware Coveo Search, select a user identity of anyWindows account that can be used to authenticate to ADFS (see "Configuring theClaims-Aware Coveo Search Application" on page 149). Otherwise, select the useridentity you just created.

SharePoint WebApplication Url

The URL of the SharePoint web application using Claims-based authentication in thehttp://SharePointServer[:port]/ form.

Web Applicationsupports AD FSClaimsAuthentication

Selected

Url of theSharePointAD FS Server

The URL of the ADFS server which is trusted by SharePoint.

Trust Identifierfor SharePoint

The Relying Party Trust identifier for the SharePoint web application. [more]

Allow ComplexIdentities

Selected

Notes: You can configure the security provider to operate when multiple ADFS servers are used toauthenticate users in SharePoint. [more]


4www.coveo.com 13



Key parameter Value


Security Provider Type SharePoint




Security Provider forSharePoint Users

The Claims for SharePoint On-Premises security provider you just created.

Security Provider forDomain Groups

(none)

SharePoint Server Url The URL of the SharePoint web application where the Coveo SharePoint WebService is installed in the form http://SharePoint_server:[WebApp_

port].

AuthenticationType AdfsUnderClaims

AdfsServerUrl The URL of the ADFS server for which a Trust is established with SharePoint.

SharePointTrustIdentifier The Relying Party Trust identifier for the SharePoint web application, such asurn:federation:MicrosoftOnline. [more]






Addresses The URL for the SharePoint farm sections thatyou want to index in the formhttps://SharePoint_server

[:port]/path, where [path] is needed onlywhen you want index a specific site collection,list, etc.

The URL for the SharePointweb application that youwant to index in the formhttps://SharePoint_


Authentication Type AdfsUnderClaims

4www.coveo.com 14




AdfsServerUrl(Hidden parameter)

The URL of the ADFS server for which a trust is established with SharePoint.

SharePointTrustIdentifier(Hidden parameter)

The Relying Party Trust identifier for the SharePoint ADFS server. [more]

Authentication The user identity you created.

Security Provider The SharePoint Security provider you just created.

Notes: You can configure the source to operate when multiple ADFS servers are used to authenticate usersin SharePoint.


What'sNext?

l (For SharePoint sources only) When you provide a Coveo .NET Front-End search interface residing outsideSharePoint and want users to be able to find Claims-secured SharePoint content without having to log in againto SharePoint, configure the search interface to manage single sign-on.

l CES 7.0.9093+ (September 2017) (For SharePoint on-premises sources only) When you provide a CoveoJavaScript search interface and want to leverage SharePoint claims for content security, install the CoveoClaims Security Module, among other things (see Allowing a JavaScript Search Page to Retrieve SharePointClaims).

2.4 SharePoint Online (Native) [Claims] Source Quick Setup


l CES 7.0.6767+ (June 2014)

OR

4www.coveo.com 15






l CES 7.0.8047+ (December 2015) DNS records for Office 365 at your DNS hosting provider


Key parameter Value


User A native Office 365 account in the [email protected] form


3. Ensure that the Windows account of your user identity has the appropriate permissions:

a. For content and permission indexing, incremental refresh, and site collection discovery, the account musthave Administrator permission for all SharePoint Online site collections to index, but also the root sitecollection. [more]

b. For personal site, user profile, and social tags indexing, the account must be owner of all personal sitescollections. [more]

4. Create a Claims for SharePoint Online security provider. [more]

Key parameter Value


Security Provider Type Claims for SharePoint Online


SharePoint Web Application Url In the form https://domain.sharepoint.com

Office 365 Native Users Domain(s) In the form domain.onmicrosoft.com [more]

5. Install the Windows Azure AD module on the Coveo Master server needed by the Office 365 security provider.[more]

6. Create an Office 365 security provider. [more]

4www.coveo.com 16



Key parameter Value


Security Provider Type Office 365

User Identity The native Office 365 user identity you created.

Users Security Provider The Claims for SharePoint Online security provider you just created.


Key parameter Value



SharePoint



(none)


The Claims for SharePoint Online security provider you just created.

Security Providerfor Domain Groups

The Office 365 security provider you just created.


URL of the SharePoint Online site in the form https://domain.sharepoint.com/[path] where [path] is needed only when you want index a specific site collection,list, etc.

AuthenticationType SpOnlineNative





Addresses The SharePoint Online server URL inthe formhttps://domain.SharePoint.com

.

The URL of the SharePoint Online site collectionregrouping all the personal sites (in which arelocated the OneDrives for Business) that you wantto index in the form https://domain-my.sharepoint.com.

4www.coveo.com 17




AuthenticationType

SpOnlineNative

Authentication The native Office 365 user identity you created.

SecurityProvider

The SharePoint Security provider you just created.


2.5 SharePoint Online (ADFS SSO) [Claims] Source Quick Setup


l CES 7.0.6767+ (June 2014)

OR






2. Create a user identity with a dedicated account that has access to all the SharePoint content that you want to

4www.coveo.com 18



index.

Key parameter Value


User A single sign-on Office 365 account in the [email protected] form.


3. Ensure that the account of your user identity has the appropriate permissions:




Key parameter Value


SecurityProvider Type

Claims for SharePoint Online

User Identity When a claims-aware Coveo Search is used, select a user identity of any Windowsaccount that can be used to authenticate to ADFS. Otherwise, select the user identity youjust created. [more]

SharePointWebApplication Url

In the form https://domain.sharepoint.com

Office 365Native UsersDomain(s)

In the form domain.onmicrosoft.com[more]

Allow ComplexIdentities

Selected

Notes: You can configure the security provider to operate:

l When single sign-on is enabled in Office 365. [more]

l When multiple ADFS servers are used to authenticate users in SharePoint. [more]

5. Install the Windows Azure AD module on the Coveo Master server needed by the Office 365 security provider.

4www.coveo.com 19



[more]


Key parameter Value



User Identity The single sign-on Office 365 user identity you created.

Users Security Provider The Claims for SharePoint Online security provider you justcreated.

Windows Azure Active Directory Modulefor Windows PowerShell

The installation path of the Microsoft Online Services Modulefor Windows PowerShell. [more]


Key parameter Value



User Identity The single sign-on Office 365 user identity you created.


(none)


The Claims for SharePoint Online security provider you just created.



SharePoint Server Url URL of the SharePoint Online site in the formhttps://domain.sharepoint.com/[path], where [path] is needed onlywhen you want index a specific site collection, list, etc.

AuthenticationType SpOnlineFederated

AdfsServerUrl The URL of the ADFS server for which a trust is established with SharePoint.



4www.coveo.com 20








.

The URL of the SharePoint Online sitecollection regrouping all the personalsites (in which are located theOneDrives for Business) that you wantto index in the form https://domain-my.sharepoint.com.

Authentication Type SpOnlineFederated




The Relying Party Trust identifier for the SharePoint ADFS server. [more]

Authentication The single sign-on Office 365 user identity you created.

Security Provider The SharePoint security provider you just created.



2.6 SharePoint Online (Okta SSO) [Claims] Source Quick Setup

4www.coveo.com 21




l CES 7.0.6767+ (June 2014)

OR





2. Create a user identity.

Keyparameter

Value


User An Okta SSO recognized account in the [email protected] form that can see all thecontent that you want to index.




b. For personal site, user profile, and social tags indexing, the account must be owner of all personal sitescollections [more].


Key parameter Value

Name You must name your security provider (ex.: Claims SharePoint Online Okta).


Claims for SharePoint Online

User Identity The user identity you created in step 2.

SharePoint WebApplication Url

In the form https://mydomain.sharepoint.com

4www.coveo.com 22



Key parameter Value

Office 365 NativeUsers Domain(s)

In the form mydomain.onmicrosoft.com[more]

Single Sign-On (ADFS) is enabled

Selected

Url of the SharePointAD FS Server

The full path to your SharePoint Online ActiveClientSignInUrl that should be inthe form: https://mydomain.okta.com/app/office365/[GUID]/sso/wsfed/active

You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the signon instructions of the Microsoft Office 365 application:a. With an administrator account, log in into Okta.b. In the top menu, click Admin.c. In the administration panel, select Applications > Applications.d. In the Applications page, click Microsoft Office 365.e. In the Microsoft Office 365 page, select the Sign On tab.f. In the Sign On tab, under Sign On Methods section, click View Setup

Instructions.g. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

Trust Identifier forSharePoint

urn:federation:MicrosoftOnline

5. Install the Windows Azure AD module on the Coveo Master server needed by the Office 365 security provider[more].


Key parameter Value

Name You must name your security provider (ex.: Office 365

SharePoint Online Okta).



Users Security Provider The Claims for SharePoint Online security provider you justcreated.


The installation path of the Microsoft Online Services Modulefor Windows PowerShell.[more]


4www.coveo.com 23



Key parameter Value

Name You must name your security provider (ex.: SharePoint Online Okta).




Active Directory to resolve AD users.(none) to only recognize Okta SSO users.


The Claims for SharePoint Online security provider you created in step 4.


The Office 365 security provider you just created in step 6.

SharePoint Server Url URL of the SharePoint Online site in the formhttps://mydomain.sharepoint.com/[path], where [path] is neededonly when you want index a specific site collection, list, etc.


AdfsServerUrl The same path you entered when configuring the Claims for SharePoint Onlinesecurity provider (see AdfsServerUrl).





Name You must name your source (ex.: Claims SharePoint Online Okta orClaims OneDrive for Business Okta).


Addresses The SharePoint Online server URL inthe formhttps://mydomain.SharePoint.com

.

The URL of the SharePoint Onlinesite collection regrouping all thepersonal sites (in which are locatedthe OneDrives for Business) that youwant to index in the formhttps://domain-my.sharepoint.com.

Crawling Scope WebApplication N/A

4www.coveo.com 24






The same path you entered when configuring the Claims for SharePoint Onlinesecurity provider (see AdfsServerUrl).


The Relying Party Trust identifier for the SharePoint web application, such asurn:federation:MicrosoftOnline. [more]

Authentication The user identity you created in step 2.

Security Provider The SharePoint security provider you created in step 7.



10. (Not for OneDrive for Business sources) When a claims-aware Coveo Search is used, you can test thesearchability of the source [more]

a. Add the Claims for SharePoint security provider that you created in step 4 to the Coveo .NET Front-Endsearch interface.

b. Log in to the search interface with an Okta SSO recognized user, and then verify that you can see searchresults from the source you created in step 8, but only documents to which this user has access inSharePoint Online.

2.7 SharePoint Online (Federated - Okta) [Email] Source Quick Setup

4www.coveo.com 25




l CES 7.0.7433+ (February 2015)

OR




l Your domain is federated (see Okta / Microsoft Office 365 Deployment Guide).

l SharePoint user emails must match the one they use to log in to your Coveo search interface.



Keyparameter

Value


User An Okta SSO recognized account in the [email protected] form that can see all thecontent that you want to index.





4. Create an Email security provider. [more]

Key parameter Value


Security Provider Type Email (x64)

User Identity The federated Office 365 user identity you created.

5. Create a Claims to Email for SharePoint Online security provider.

4www.coveo.com 26


https://support.okta.com/articles/Knowledge_Article/Office365-Deployment-Guide?id=kA0F0000000U2sN&q=Office+365+Deployment+Guide


Key parameter Value


Security Provider Type Claims to Email for SharePoint Online


Security Provider The Email security provider you created in step 4.





Key parameter Value




Users Security Provider The Claims to Email for SharePoint Online security provideryou just created.




Key parameter Value





(none)


The Claims to Email for SharePoint Online security provider you just created.

4www.coveo.com 27



Key parameter Value



SharePoint Server Url URL of the SharePoint Online site in the formhttps://domain.sharepoint.com/[path]

where [path] is needed only when you want index a specific site collection,list, etc.


AdfsServerUrl The full path to your SharePoint Online ActiveClientSignInUrl that shouldbe in the form: https://mydomain.okta.com/app/office365/[GUID]/sso/wsfed/active

You can find your SharePoint Online ActiveClientSignInUrl in Okta, in thesign on instructions of the Microsoft Office 365 application:a. With an administrator account, log in into Okta.b. In the top menu, click Admin.c. In the administration panel, select Applications > Applications.d. In the Applications page, click Microsoft Office 365.e. In the Microsoft Office 365 page, select the Sign On tab.f. In the Sign On tab, under Sign On Methods section, click View Setup

Instructions.g. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.




Name You must name your source (ex.: Claims SharePoint Online Okta orClaims OneDrive for Business Okta).



.





The same path you entered when configuring the SharePoint security provider(see AdfsServerUrl).

4www.coveo.com 28







Security Provider The SharePoint Security provider you created in step 8.


2.8 SharePoint Online (Federated - ADFS) [Email] Source Quick Setup


l CES 7.0.7433+ (February 2015)

OR





l SharePoint user emails must match the one they use to log in to your Coveo search interface.


4www.coveo.com 29




Key parameter Value


User A single sign-on Office 365 account in the [email protected] form.






Key parameter Value





Key parameter Value









4www.coveo.com 30



Key parameter Value




Users Security Provider The Claims to Email for SharePoint Online security provideryou just created.




Key parameter Value





(none)


The Claims to Email for SharePoint Online security provider you just created.



SharePoint Server Url URL of the SharePoint Online site in the formhttps://domain.sharepoint.com/[path]where [path] is needed only when you want index a specific site collection,list, etc.


AdfsServerUrl The URL of the ADFS server for which a trust is established with SharePoint.



4www.coveo.com 31




Name You must name your source (ex.: Claims SharePoint Online ADFS orClaims OneDrive for Business ADFS).



.









Security Provider The SharePoint security provider you created in step 8.


2.9 SharePoint Online (Native) [Email] Source Quick Setup

4www.coveo.com 32




l CES 7.0.6767+ (June 2014)

OR






Key parameter Value


User A native Office 365 account.

Note:l When you use your own domain in Office 365: [email protected].

l When you use the initial domain in Office 365:[email protected].


3. Ensure that the Windows account of your user identity has the appropriate permissions:




Key parameter Value





4www.coveo.com 33



Key parameter Value









Key parameter Value




Users Security Provider The Claims for SharePoint Online security provider you just created.


Key parameter Value




Active Directory SecurityProvider

(none)


The Claims to Email for SharePoint Online security provider you justcreated.

Security Provider for DomainGroups


4www.coveo.com 34



Key parameter Value

SharePoint Server Url URL of the SharePoint Online site in the formhttps://domain.sharepoint.com/[path]where [path] is needed only when you want index a specific sitecollection, list, etc.

AuthenticationType SpOnlineNative






.

The URL of the SharePoint Online site collectionregrouping all the personal sites (in which arelocated the OneDrives for Business) that you wantto index in the form https://domain-my.sharepoint.com.

AuthenticationType

SpOnlineNative N/A

Authentication The native Office 365 user identity you created.

SecurityProvider



4www.coveo.com 35



3. Microsoft SharePoint Connector Deployment OverviewThe following procedure outlines the steps needed to deploy the second generation Microsoft SharePointconnector. The SharePoint connector supports several SharePoint versions as well as various authenticationmodes. The configuration steps depend on the configuration of your SharePoint environment.


l Coveo license for the Microsoft SharePoint connector

Your Coveo license must include support for the Microsoft SharePoint connector to be able to use thisconnector.

l CES 7.0.8047+ (December 2015) (For SharePoint Online only) Configure DNS settings for Office 365 atyour DNS hosting provider.

a. Log in to Office 365 admin center with an administrator account.

b. In the navigation bar on the left, select Setup, and then Domains.

c. In the Home > Domains page, under Domain Name, click your corporate domain(company.onmicrosoft.com).

d. In the [domain name] page, in the DNS settings section, take note of the DNS records.

e. Configure these DNS records in your DNS host provider (see Create DNS records at any DNS hostingprovider for Office 365).

f. In the [domain name] page, in the DNS records section, click the Troubleshoot domain link to ensurethe DNS records were correctly configured.

l CES 7.0.6767+ (June 2014)

l ADFS requirements

When your SharePoint environment uses ADFS as a trusted identity provider, your ADFS setup must meetspecific requirements (see "ADFS Server Requirements for a Claims Security Provider" on page 92).

l Okta requirements

When your SharePoint environment uses Okta as an SSO provider, your Okta setup must meet specificrequirements (see Okta Single Sign-On Provider for SharePoint).

l Supported SharePoint version:

o SharePoint Online

o CES 7.0.8541+ (September 2016) SharePoint 2016 (on-premises)

o SharePoint 2013 (on-premises)

4www.coveo.com 36


https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1357924529&rver=6.1.6206.0&wp=MCMBI&wreply=https://portal.microsoftonline.com/landing.aspx?target%3D%252fdefault.aspx&lc=1033&id=271346

https://support.office.com/en-US/client/results?Shownav=true&lcid=1033&ns=O365ENTADMIN&version=15&ver=15&HelpID=O365M_DomainsDNSSettings_CreateDNSRecords

https://support.office.com/en-US/client/results?Shownav=true&lcid=1033&ns=O365ENTADMIN&version=15&ver=15&HelpID=O365M_DomainsDNSSettings_CreateDNSRecords


n Microsoft SharePoint Foundation 2013

n Microsoft SharePoint 2013 (SharePoint 2013)

o SharePoint 2010 (on-premises)

n Microsoft SharePoint Foundation 2010 (WSS 4)

n Microsoft SharePoint 2010 (SharePoint 2010)

Notes:

o You can index on-premises SharePoint 2007 content with the SharePoint Legacy connector.

o Coveo Platform 7 does not support indexing SharePoint 2003 content.

2. Referring to the following table, identify the SharePoint environment type that you want to index (Classic,Claims, or Online type).

SharePointenvironment type

SharePointVersion

Online 2016/2013/2010 on-premises

Web appauthentication

Office 365Native

SSO ADFSClassicWindows

Claims-based

Okta

Classic ✓

Claims ✓ ✓

Online ✓ ✓

3. On your SharePoint farm (tenant in SharePoint Online):

a. Select or create a user that the connector will use to crawl your SharePoint content. Refer to the followingtable to identify the required type of user for your type of SharePoint environment.

SharePointenvironment

SharePoint WebApplication Enabledauthentication

Type of user User format

Classic(2010, 2013,or 2016) Windows

Windowsaccount

domain\username

[email protected]

4www.coveo.com 37



SharePointenvironment

SharePoint WebApplication Enabledauthentication

Type of user User format

Claims(2010, 2013,or 2016)

WindowsWindowsaccount

ADFS ADFS SSO

Okta Okta SSO [email protected]

OnlineNative

Native Office 365account

[email protected]

SSO with ADFS Single Sign-OnOffice 365account

[email protected]

SSO with Okta

b. For on-premises environments, install the Coveo web service, search box, and search interface on yourSharePoint farm (see "Installing the Coveo Web Service, Search Box, and Search Interface intoSharePoint" on page 61).

Note:With this installation procedure, you can also integrate the Coveo search box to SharePoint.Integrating the search box is not required to deploy the connector and it can be done later.

CES 7.0.9093+ (September 2017) If you plan on creating a JavaScript search page and want to leverageclaims from your on-premises SharePoint farm, you can install the Coveo Claims Security Module ratherthan the Coveo .NET Front-End web service (see Coveo JavaScript Search Framework and Allowing aJavaScript Search Page to Retrieve SharePoint Claims).

Important: Do not install both the Coveo Claims Security Module and the Coveo .NET Front-End webservice, as this would create duplicate files on your server.

c. Grant appropriate SharePoint permissions to the crawling account you selected to ensure access to all thecontent that you want to index (see "Granting SharePoint Permissions to the Crawling Account" on page42).

d. CES 7.0.8541+ (September 2016) For on-premises environments, when you have thousands of userprofiles in your farm, it is recommended to create a search service application to list your user profiles (see"Listing User Profiles With a SharePoint Search Service Application" on page 40).

4. On the Coveo Master server, in the Administration Tool:

a. Configure the user identity

Once the crawling account has been set up, you must create a CES user identity for this account.

b. When indexing SharePoint Online content, you must install the Windows Azure AD module on the Coveo

4www.coveo.com 38



Master server because it is needed by the Office 365 security provider (see "Installing the Windows AzureAD Module for Windows PowerShell" on page 101).

c. Referring to the following table, create the security providers required for your SharePoint environmentfollowing the order in the numerical icons.

Required security provider type

Online 2016/2013/2010 on-premises

Office 365Native

SSOADFS

ClassicWindows

Claims-based

Okta

Active Directory 1 1

Claims for SharePoint on-premises

21

Claims for SharePoint Online 1OR

1OR

Claim to Email for SharePointOnline 1 1

Office 365 2 2

SharePoint 3 3 2 3 2

Note:When an Active Directory security provider is required, use the out-of-the-box Active Directorysecurity provider.

d. CES 7.0.6607+ (April 2014) Create a SharePoint field set to take advantage of the metadata available onSharePoint content.

i. It is recommended to start by importing the default SharePoint field set file ([CES_Path]\Bin\Coveo.CES.CustomCrawlers.SharePoint.FieldSet.xml) to create fields for all themetadata available by default from SharePoint documents.

ii. When you created custom metadata for your SharePoint documents, add corresponding fields to thefield set.

e. Configure and index the Microsoft SharePoint source

The Coveo connector needs to know details about your Microsoft SharePoint server or farm to be able toindex its content (see "Configuring and Indexing a Microsoft SharePoint Source" on page 120).

5. When you provide a Coveo .NET search interface residing outside SharePoint and want users to be able tofind Claims-secured SharePoint content without having to log in again to SharePoint, configure the searchinterface to manage single sign-on (see "Manually Configuring a .NET Search Interface Claims SSO for an On-Premises SharePoint" on page 143).

4www.coveo.com 39



4. Listing User ProfilesWith a SharePoint Search ServiceApplicationCES 7.0.8541+ (September 2016) The Coveo connector for SharePoint supports to retrieve the user profilesdirectly from the SharePoint 2010, 2013, and 2016 search service application. This method is particularly useful forfarms containing thousands of user profiles to improve the indexing performance.

Once the search service application has retrieved all user profiles, the Coveo connector queries the application forall profiles.

To list user profileswith a SharePoint search service application

1. With an administrator account, access the SharePoint Central Administration.

2. In the Central Administration page, click Manage service applications.

3. If you do not already have one, create a search service application:

a. In the top menu, in the Create section, click the New drop-down list menu, and then select Search ServiceApplication.

b. In the Create New Search Service Application dialog:

i. In the fist box, enter a meaningful Service Application Name.

Example: Coveo Connector

ii. Click OK.

4. In the application list, click the Name of the application.

5. In the [Search Service Application Name]: Search Administration page, in the menu on the left, underCrawling, click Content Sources.

6. In the [Search Service Application Name]: Manage Content Sources page, click the Local SharePoint sitessource Name.

7. In the [Search Service Application Name]: Edit Content Source page, in the Type start addresses below(one per line) box, cut the URL starting with sps3, and then click OK.

8. Back in the [Search Service Application Name]: Manage Content Sources page, click New Content Source.

9. In the [Search Service Application Name]: Add Content Source page:

a. In the first box, enter a content source Name.

Example: mysites host

b. In the Type start addresses below (one per line) box, paste the URL that you cut in step 8.

c. Under Full Crawl, click Create schedule.

4www.coveo.com 40



Note: The full crawl is necessary for the SharePoint connector to take account of deleted user profiles.

d. In the Manage Schedules dialog:

i. Next to Settings, in the Run every box, enter 1.

ii. Next to Settings, in the Starting time drop-down list menu, select a time at least one hour prior thestart of your SharePoint V2 source refresh (see Configuring and Indexing a Microsoft SharePointSource).

iii. Click OK.

e. Click OK.

10. (For SharePoint 2013 and 2016 only) Back in the [Search Service Application Name]: Manage ContentSources page, in the menu on the left, under Queries and Results, click Result Sources.

11. (For SharePoint 2013 and 2016 only) In the [Search Service Application Name]: Manage Result Sourcespage, click Local People Results drop-down list menu, and then select Set as Default.

Note: Setting the Local People Results result source as default allowed the application to return userprofiles.

What'sNext?

While configuring your SharePoint V2 source (see "Configuring and Indexing a Microsoft SharePoint Source" onpage 120), retrieve the list of user profiles from the native SharePoint Crawler, by adding the LoadUserProfilesand UsePeopleSearchForUserProfiles hidden parameters and set the parameter values to true.

4www.coveo.com 41



5. Granting SharePoint Permissions to the Crawling AccountYou must select an existing account or create a new one that the SharePoint, SharePoint Legacy or OneDrive forBusiness (CES 7.0.8047+ (December 2015)) connector will use to crawl your SharePoint or OneDrive for Businesscontent.

Tip: The best practice is to create a dedicated account for the exclusive use of the Coveo connector with apassword that never changes. If you must change the password of this account you will need to change it both inthe original identity provider system (AD or other) and in the corresponding CES user identity.

This crawling account must have the proper rights to retrieve the information from your SharePoint farm (tenant inSharePoint Online). There are two methods to configure the necessary SharePoint permissions for the crawlingaccount.

l "Automatic Permissions Setup" on page 42

l "Manual Permissions Setup" on page 42

5.1 Automatic Permissions SetupThe SharePoint and SharePoint Legacy connectors have the ability to automatically set the required permissions toallow the crawling account to gain read access to the whole content as long as the following requirements are met:

l For SharePoint 2016, 2013, Foundation 2013, 2010, Foundation 2010, and 2007 (Not for SharePoint Online)

l The Coveo SharePoint web service must be installed on the SharePoint farm (see "Installing the Coveo WebService, Search Box, and Search Interface into SharePoint" on page 61)

l The crawling account must:

o Be a member of the SharePoint farm administrators group (see "Adding the Crawling Account to theSharePoint Farm Administrators Group" on page 51)

o Have the Read permission for the site collection(s) that you want to index (see "Adding the SharePointWebsite Read Permission" on page 46).

5.2 Manual Permissions SetupWhen your SharePoint environment does not meet the requirements for the automatic method, you must manuallyset permissions for your SharePoint crawling account.

The following table presents the minimal required permissions that the crawling account must have to perform thespecified action for the supported SharePoint versions.

Note: CES 7.0.8047+ (December 2015) For OneDrive for Business, follow the actions applicable to yourSharePoint version.

4www.coveo.com 42



SharePoint versionAction to perform Minimal required permission

Online 2016 2013 2010 2007

✓

Content and Security indexing,incremental refresh, and sitecollection discovery

l CES 7.0.8047+ (December 2015)(Only when you index thecontent of a SharePoint webapplication) SharePointAdministrator permission inOffice 365 (see Assigningadmin roles in Office 365).

l Administrator permission forall SharePoint Online sitecollections, including the rootsite collection (see "Grantingthe Site CollectionAdministrator Permission inSharePoint Online" on page55).

✓ ✓ ✓ ✓

Full Read policy for all SharePointfarm web applications (see"Adding the Full Read Policy to AllSharePoint Farm WebApplications" on page 44).

✓ ✓ ✓ ✓

Personal site, user profile andsocial tags indexing

Notes:l When indexing personal sitesor user profiles, the crawlingaccount must not have apersonal site on theSharePoint server beingindexed to prevent connectorfailure cases whenattempting to retrieve the listof personal sites.

l Personal sites and userprofiles are not included inSharePoint Foundation.

Read permission for the sitecollection of the source startingaddress (see "Adding theSharePoint Website ReadPermission" on page 46).

✓ ✓ ✓

Retrieve People Data for SearchCrawlers permission to the UserProfile Service Application (see"Adding the Retrieve People Datafor Search Crawlers Permission tothe User Profile ServiceApplication" on page 48).

✓

Manage user profiles permissionto the Shared Service Rights (see"Adding the Manage User ProfilesPermission in Shared ServiceRights" on page 50).

✓

Owner of all personal sitescollections (see "Adding thePersonal Sites Collections OwnerPermissions for SharePoint Online"on page 56).

4www.coveo.com 43


https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504



What'sNext?

Once you granted the appropriate permissions:

l (For SharePoint on-premises versions only) Optionally install the Coveo SharePoint web service (see"Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint" on page 61).

l (For SharePoint sources only) Create and index a SharePoint source.

l (For OneDrive for Business sources only) Create and index a OneDrive for Business source.

5.3 Adding the Full Read Policy to All SharePoint FarmWeb ApplicationsYou must add the Full Read policy to all SharePoint farm web applications for the crawling account when you wantto perform SharePoint content and security indexing, incremental refresh, and site collection discovery.

The procedure applies to SharePoint 2013, 2010, and 2007 and varies depending on the SharePoint version:

l "Microsoft SharePoint 2013 or 2010" on page 44

l "Microsoft SharePoint 2007" on page 45

Note: The permissions required for the crawling account in the case of SharePoint Online are different.

5.3.1Microsoft SharePoint 2013 or 2010

1. Access SharePoint 2013/2010 Central Administration (Windows Start menu > All Programs > MicrosoftSharePoint 2013/2010 Products).

2. In SharePoint 2013/2010 Central Administration, under Application Management, click Manage webapplications.

3. For each web application to crawl:

a. In theWeb Applications Management page:

i. Click the name of the desired web application to highlight it.

ii. In the ribbon, click User Policy.

b. In the Policy for Web Application dialog box, click Add Users.

c. In the Add Users wizard:

4www.coveo.com 44



i. In the Zone drop-down list, select (All zones), and then click Next.

ii. In the Users text box, add the crawling account.

iii. Under Permissions, select the Full Read - Has full read-only access check box.

iv. Click Finish.

d. In the Policy for Web Application dialog box, click OK.

5.3.2Microsoft SharePoint 2007

1. Access SharePoint 3.0 Central Administration (Windows Start menu > All Programs > Microsoft OfficeServer).

2. Click Application Management.

3. Click Policy for Web application.

4. For every web application to crawl:

a. Click Add Users.

b. Select (All Zones), and then click Next.

c. In the Users text box, add the crawling account.

4www.coveo.com 45



d. Under Permissions, select the Full Read - Has full read-only access checkbox, and then click Finish.

5.4 Adding the SharePoint Website Read PermissionYou must add the SharePoint site Read permission to the crawling account when you want to:

l Perform SharePoint personal site and user profile indexing.

l Take advantage of the automatic permission setup feature of the SharePoint connector (see "AutomaticPermissions Setup" on page 42).

The procedure applies to SharePoint 2013, 2010, and 2007 and varies depending on the SharePoint version:

l "Microsoft SharePoint 2013 or 2010" on page 46


5.4.1Microsoft SharePoint 2013 or 2010

1. Access the SharePoint site collection that you want to index.

2. Click the gear icon (SharePoint 2013) or the Site Actions (SharePoint 2010), and then select SitePermissions.

3. In the ribbon, click Grant Permissions.

4. In the Grant Permissions dialog box:

4www.coveo.com 46



a. In the Users/Groups text box, add the crawling account.

b. Under Grant Permissions, select the Grant users permission directly radio button, and then select theRead - Can view pages and list items and download documents check box.

c. Click OK.


1. Access the SharePoint site collection site collection that you want to index.

2. Click Site Actions, and then select Site Settings.

3. Click Advanced Permissions in the Users and Permissions column.

4. Click New.

5. In the Add Users page:

4www.coveo.com 47




b. Under Give Permission, select the Give users permission directly radio button, and then select theRead - can view only check box.

c. Click OK.

5.5 Adding the Retrieve People Data for Search Crawlers Permission to theUser Profile Service ApplicationYou must add the Retrieve People Data for Search Crawlers permission to the User Profile Service application forthe crawling account when you want to perform SharePoint personal site and user profile indexing. This procedureapplies only to SharePoint 2013 and 2010.

To add theRetrieve PeopleData for SearchCrawlers permission to theUser Profile Serviceapplication


2. In the SharePoint 2013/2010 Central Administration, under Application Management, click Manage serviceapplications.

3. In the Manage Service Applications page:

4www.coveo.com 48



a. Without clicking it, highlight User Profile Service Application.

Note:When User Profile Service Application is not present in the service applications list, the UserProfile Service Applicationmay not be installed on your SharePoint farm, and there is therefore nopeople data to index. Abort this procedure.

b. In the ribbon, click Administrators.

4. In the Administrators for User Profile Service Application dialog box:

4www.coveo.com 49



a. In the first box, type the crawling account, and then click Add.

b. In the second box, select the crawling account.

c. In the Permission for Administrators list, select the Retrieve People Data for Search Crawlers checkbox, and then click OK.

5.6 Adding the Manage User Profiles Permission in Shared Service RightsYou must add the Manage user profiles to Shared Service Rights for the crawling account when you want toindex SharePoint personal sites and user profiles. This procedure applies only to MOSS 2007 (SharePoint 2007).

To add theManage user profiles permission to SharedServiceRights


2. Click Shared Services Administration.

3. Click the shared service link hosting the user profiles and personal sites data.

4. Click Personalization service permissions.

5. Click Add Users/Groups.

6. In the Add Users/Groups: Shared Service Rights page:


b. In the Choose Permissions section, select the Manage user profiles check box.

c. Click Save.

4www.coveo.com 50



5.7 Adding the Crawling Account to the SharePoint Farm Administrators GroupYou must add the crawling account to the SharePoint farm administrators group when you want to:

l Install the Coveo SharePoint web service (see "Installing the Coveo Web Service, Search Box, and SearchInterface into SharePoint" on page 61).

l Take advantage of the automatic permissions setup feature of the SharePoint connector (see "AutomaticPermissions Setup" on page 42).

The procedure varies depending on the SharePoint version:





1. Access SharePoint 2013 Central Administration (Windows Start menu > All Programs > MicrosoftSharePoint 2013 Products).

2. In the SharePoint Central Administration:

a. In the Central Administrationmenu on the left, select Security.

b. In the Security page, under Users, click Manage the farm administrators group.

c. In the People and Groups - Farm Administrators page, click New.

d. In the Share 'Central Administration' dialog box, in the Add people to the Farm Administrators group

4www.coveo.com 51



box, add the crawling account, and then click Share.


1. Access SharePoint 2010 Central Administration (Windows Start menu > All Programs > MicrosoftSharePoint 2010 Products).

2. In SharePoint 2010 Central Administration, under Security, selectManage the farm administrators group.

3. In the People and Groups page, click New.

4www.coveo.com 52



4. In the Grant Permissions dialog box, in the Users/Groups box, add the crawling account, and then click OK.



2. Click Operations.

3. Click Update farm administrator's group.

4. Click New.

5. In the Add Users page:

4www.coveo.com 53




b. Under Give Permissions:

i. Select the Add users to a SharePoint group radio button.

ii. In the drop-down list, select Farm Administrators [Full Control].

iii. Click OK.

5.8 Adding the Crawling Account to the SharePoint Server Local AdministratorsGroupYou may need to add the crawling account to the SharePoint server local Administrators group when you want to:

l Perform SharePoint personal site and user profile indexing, incremental refresh, and site collection discovery(see "Granting SharePoint Permissions to the Crawling Account" on page 42).

l Install the Coveo SharePoint web service (see "Installing the Coveo Web Service, Search Box, and SearchInterface into SharePoint" on page 61).

Note: This procedure applies to Microsoft Windows Server 2008.

To add the crawling account to the SharePoint server local administrator group

1. On the SharePoint server, access the Computer Management console (Windows Start menu > AllPrograms > Administrative Tools).

2. In the panel on the left, expand System Tools > Local Users and Groups, and then click Groups.

4www.coveo.com 54



3. In the panel on the right, right-click Administrators, and then click Add to Group.

4. In the Administrators Properties dialog box:

a. Click Add.

b. In the Select Users, Computers, or Groups dialog box, enter the crawling account, and then click OK.

a. Click OK to close the Administrators Properties dialog box.

5.9 Granting the Site Collection Administrator Permission in SharePoint OnlineIn SharePoint Online, the CES crawling account must be an administrator in Office 365 (CES 7.0.7914+ (October2015)) and an administrator of all SharePoint Online site collections from which you want to index content, but alsothe root site collection.

This high level permission is required because SharePoint Online currently does not offer lower level permissionsthat allow to crawl site collection content. The root site collection administrator permission is needed by theSharePoint auto discovery mechanism that the Coveo connector uses for operations such as detecting refreshedand deleted folders and crawling.

Grant the administrator permission using SharePoint Online admin center

1. Access SharePoint Online administration center (https://your_domain-admin.sharepoint.com).

2. Click Manage site collections.

3. In the navigation panel on left, click Site Collections.

4. In the panel on the right, under Site Collections, select one or more site collections you want to crawl.

5. In the tool bar, click Owners, and then Manage Administrators.

4www.coveo.com 55



6. Add the crawling account to the list of Site Collection Administrators.

7. Click OK.

What'sNext?

CES 7.0.7914+ (October 2015) Assign the admin role to your crawling account in Office 365 (see Assigning adminroles in Office 365).

5.10 Adding the Personal Sites Collections Owner Permissions for SharePointOnlineYou must make the crawling account an owner of all the personal sites collections when you want to indexSharePoint Online personal sites and user profiles. The crawler will only be able to index content from a personalsite if the crawling account is an owner of this personal site, other personal sites for which it is not an owner will beignored.

You can add these permissions using one of the following methods:

l Using the admin center (SharePoint Online 2010 and 2013)

SharePoint Online admin center allows granting owner permissions for only one personal site collection at atime, which means this procedure has to be done for every personal site collection.

l Using a PowerShell script (SharePoint Online 2013 only)

A PowerShell script using SharePoint Online cmdlets is available to facilitate the task of granting ownerpermissions to a specific account for all personal site collections.

To add theOwner permission using SharePoint Online admin center

1. Access SharePoint Online administration center (https://your_domain-admin.sharepoint.com).

2. In the navigation panel on the left, click user profiles.

3. Click Manage User Profiles.

4. Use the search box to find the user profiles of the users you want to crawl.

4www.coveo.com 56





5. Right-click an Account Name and then selectManage site collection owners.

6. Add the crawling account to the list of Site Collection Administrators.

7. Click OK.

4www.coveo.com 57



To grant theOwner permission using SharePoint OnlineManagement Shell

Notes:

l You must regularly perform the following procedure when you want to grant permissions for site collections ofnew users.

l This procedure applies to SharePoint Online only.

1. Install SharePoint Online management shell (see the Microsoft document Set up the SharePoint OnlineManagement Shell Windows PowerShell environment).

2. Download the zipped COVEOSPO.PS1 script file to the server where the SharePoint Onlinemanagement shell was previously installed.

Important: The script was updated on January 21, 2016.

3. Unzip the file.

4. On the Windows menu select Start > All Programs > SharePoint Online Management Shell.

5. Load the COVEOSPO.ps1 script.

Example: $> . C:\script\COVEOSPO.ps1

6. Run the Set-COVEOSPOMySitesOwner and Set-COVEOSPOSitesAdmin cmdlets.

The following table lists the parameters supported by each of the cmdlets:

Parameter and definitionSet-

COVEOSPOMySites

Owner

Set-

COVEOSPOSitesA

dmin

AdminSiteUrlSpecifies the URL of the SharePoint Online tenant. ✓ ✓

AdminUsernameSpecifies the username of the SharePoint Online globaladministrator used to connect to the SharePoint server. This userwill be added to the sites collection administrators (for the Set-COVEOSPOMySitesOwner cmdlet) or the personal sitesadministrators (for the Set-COVEOSPOSitesAdmin cmdlet) if theNewAdminUsername parameter is empty.

✓ ✓

AdminPasswordSpecifies the password of the SharePoint Online globaladministrator used to connect to the SharePoint server.

✓ ✓

UsersDomainNameSpecifies the domain of the users from which to retrieve personalsites.

✓

4www.coveo.com 58


http://technet.microsoft.com/en-us/library/fp161372.aspx

http://technet.microsoft.com/en-us/library/fp161372.aspx


Parameter and definitionSet-

COVEOSPOMySites

Owner

Set-

COVEOSPOSitesA

dmin

NewAdminUsernameSpecifies the username of one or more SharePoint Online usersand/or group(s) to be added in the sites collection administrators(for the Set-COVEOSPOMySitesOwner cmdlet) or the personalsites administrators (for the Set-COVEOSPOSitesAdmin cmdlet).If not set, the user specified in the AdminUsername parameterwill be added.

Notes:l You can add user and group at the same time byseparating values with comma.

Example: -NewAdminUsername"[email protected]","[email protected]","c:0-.f|rolemanager|s-[accountNumber]"

l You must find the group ID to add the associated users inthe sites collection or personal sites administrators (see Tofind a SharePoint group ID).

✓ ✓

RemoveThis parameter is a switch that, when included in the script,removes the user(s) and/or group(s) specified in theNewAdminUsername parameter (instead of adding them) fromthe sites collection administrators (for the Set-COVEOSPOMySitesOwner cmdlet) or the personal sitesadministrators (for the Set-COVEOSPOSitesAdmin cmdlet).

✓ ✓

Examples:

l $> Set-COVEOSPOMySitesOwner -AdminSiteUrl https://acme-admin.sharepoint.com -

AdminUsername [email protected] -AdminPassword password -UsersDomainName

acme.onmicrosoft.com

l $> Set-COVEOSPOSitesAdmin -AdminSiteUrl https://acme-admin.sharepoint.com -

AdminUsername [email protected] -AdminPassword password -

NewAdminUsername "[email protected]", "c:0-.f|rolemanager|s-1-5-21-

2644810858-3409521387-2709630237-4818302"

To find aSharePoint group ID

1. If not already done, repeat the procedure to add the Owner permission using SharePoint Online admin centerto the group, but without performing the last step.

2. In the site collection owners panel, access the source code of the page by pressing F12 or by right-clicking,and then selecting Inspect (Google Chrome) or View Page Source (Firefox).

3. In the window that appears, in the source code, prior to displaytext='GroupName', copy the value of thekey parameter (key='GroupID').

4www.coveo.com 59



You can now paste the group ID in the NewAdminUsername parameter to add/remove the group membersin/from the sites collection or personal sites administrators.

4www.coveo.com 60



6. Installing the CoveoWeb Service, Search Box, andSearch Interface into SharePointThe Coveo .NET Front-End can be integrated to an on-premises SharePoint by installing the following CoveoSharePoint web service, the Coveo search box, and the Coveo search interfaces components on all yourSharePoint front-end servers.

Note: CES 7.0.9093+ (September 2017) If you plan on creating a JavaScript search page and want to leverageclaims from your on-premises SharePoint farm, you can install the Coveo Claims Security Module rather than theCoveo .NET Front-End web service (see Allowing a JavaScript Search Page to Retrieve SharePoint Claims).

Important: Do not install both the Coveo Claims Security Module and the Coveo .NET Front-End web service, asthis would create dupplicate files on your server.

Coveo SharePoint web service

The optional Coveo SharePoint web service installed on a SharePoint server enhances the Coveo SharePoint,SharePoint Legacy and OneDrive for Business (in a SharePoint 2013 or 2016 scenario) connectors ability toextract and index SharePoint content by providing:

l Full site collections discovery of the targeted SharePoint farms

l Automatic crawling account configuration (see "Automatic Permissions Setup" on page 42)

l Possibility for end-users to log with SharePoint credentials in a Coveo search interface deployed outside ofyour SharePoint farm so that they can see SharePoint search results.

Note: Coveo .NET Front-End 12.0.99+ (March 2013) The Coveo SharePoint web service is optional onlywhen all the content is indexed from a Classic SharePoint environment.

When indexing content from Web Applications using Claims-based Authentication Providers, the web servicemust be installed on the SharePoint server in order to add the following new features required by the CoveoBack-End and Mirror servers to handle Claims permissions:

l Convert permissions found on SharePoint document into Claims.

l Retrieve the list of Claims associated to a user performing a search in CES.

Coveo search box

You can also install the control for the Coveo search box on a SharePoint server and use it to replace thedefault SharePoint search box to get the benefits of the Coveo search results directly within SharePoint,providing another convenient Coveo access point.

Note: Installing the Coveo search box on the SharePoint server is optional and is not needed to deploy theCoveo SharePoint, SharePoint Legacy or OneDrive for Business (in a SharePoint 2013 or 2016 scenario)connector.

4www.coveo.com 61



Tip:When the Coveo search box is installed on the SharePoint server, from the Interface Editor you canactivate the Enable search as you type option in your SharePoint search interfaces to get quick searchresults directly under the search box. Note that you must install the Default Search Interface to gain access tothe Interface Editor.

Coveo search interfaces

When you choose to install the Coveo search box on your SharePoint server, you must also install Coveosearch interfaces on the SharePoint server to present search results for queries performed from the Coveosearch box.

Tip: You can configure the scope of each search interface using the Interface Editor.

Important: You must perform the following installation procedure for each web front-end server of yourSharePoint farm, one after the other. You may see the An update conflict has occurred, and you must

re-try this action. error message when installing concurrently on more than one server. You must alsorepeat this procedure each time you update or migrate the Coveo Platform on your Coveo Master server.

To install theCoveo SharePoint web service, search box, and search interface

1. Using a local administrator account, connect to the web front-end server of your SharePoint farm.

2. Ensure that the account you are using has the permissions presented in the following table.

4www.coveo.com 62



SharePoint versionRequired permissions

2016/2013/2010 2007

✓ ✓

Member of the SharePoint server local Administrators group (see "Adding theCrawling Account to the SharePoint Server Local Administrators Group" on page54)

✓ ✓

l Have the SQL Server system administrator server role (see "Adding theMicrosoft SQL Server System Administrators Role" on page 69)OR

l Have the database owner role for the SharePoint configuration databaseand for all SharePoint content databases, including the CentralAdministration content database (see "Adding the Database Owner Role forMicrosoft SQL Server" on page 71)

✓Member of the SharePoint farm administrators group (see "Adding the CrawlingAccount to the SharePoint Farm Administrators Group" on page 51)

3. Run the Coveo .NET Front-End installer.

4. When a required version of Microsoft Chart Controls for Dotnet Framework is missing on the server, in thedialog box that appears, click Install.

5. When a required version of Microsoft .NET Framework is missing on the server, in the dialog box that appears,click Install.

Note: The Microsoft components are installed through the Internet. When the installer does not have accessto the Internet, prerequisite installations will fail. You must then install the components manually and restartthe Coveo .NET Front-End installer.

6. In the installer welcome screen, click Next.

7. In the installer License Agreement screen, read the license terms, select I accept the terms in the license

4www.coveo.com 63



agreement, and then click Next.

8. In the Installing Folders screen:

a. For each optional item in the list, click , and then ensure This feature will be installed on local harddrive. is selected for those that you want to install:

l Search Interface - To install the search interface libraries used to handle search queries.

l Default Search Interface - To install the default Coveo Enterprise Search web application and gainaccess to the Interface Editor.

Note:When the Default Search Interface is not installed, you may get the The resource cannot

be found error message when trying to access the Interface Editor from the search interface menu(Domore > Edit this interface).

l SharePoint Web Service - Needed to allow the connector to automatically set permissions for thecrawling account and to discover all site collections in the SharePoint farm.

l SharePoint Search Interface - Needed when you want to integrate the Coveo SharePoint searchinterface in your SharePoint site.

l Coveo Search Box - Needed when you want to replace the default SharePoint search box by theCoveo search box.

4www.coveo.com 64



Tip: Once installed on your SharePoint server, you can enable/disable the Coveo search boxindependently for each site (see "Activating or Deactivating the Coveo .NET Search Box in aSharePoint Site" on page 67).

b. Click Next.

9. When you install the search interface and the search box, in the Configuration screen:

a. Click Configure next toWeb site hosting the interfaces.

b. In theWeb Interface Configuration screen:

i. In theWeb site name box, enter the name of the site to be created in IIS to host Coveo searchinterfaces.

ii. In theWeb site port box, enter the port to access the Coveo search interfaces. The default is 8080.

iii. Click OK.

c. Back in the Configuration screen, click Configure next to Coveo Enterprise Search server and port.

d. In the CES Configuration screen:

4www.coveo.com 65



i. In the Server name box, enter the hostname of the Coveo Back-End server (where CES is installed)to which you want to connect this Front-End server. You can leave localhost when CES is alsoinstalled on the current server.

ii. In the Service port box, change the CES service port default (52810) only when needed.

iii. Click Test Server to validate that the CES service is responding and compatible with the Coveo.NET Front-End you are installing.

iv. In the dialog box that appears, review the message to validation is successful, and then click OK.

v. Back in the CES Configuration screen, click OK.

e. Click Next.

4www.coveo.com 66



10. In the installer Installing the program screen, click Install.

Coveo .NET Front-End 12.0.1548+ (June 2016) In a SharePoint farm with multiple Web Front-End (WFE)servers, you must install or update the Coveo .NET Front-End on each server. You can however speed up theinstallation by performing the changes to the SharePoint database only from the first server.

11. In the installer Installation Successful screen, click Finish.

What'sNext?

l When you install the Coveo Front-End for the first time on a server, before you can use the search interfaces,you must link the Coveo Front-End to a Coveo Back-End server. In this case, the Coveo .NET Front-Endinstaller automatically opens the Front-End Server Configuration page (see "Coveo .NET Front-End First TimeSetup" on page 74).

l Create the appropriate security provider.

6.1 Activating or Deactivating the Coveo .NET Search Box in a SharePoint SiteOnce you installed the Coveo .NET search box on a SharePoint server (see "Installing the Coveo Web Service,Search Box, and Search Interface into SharePoint" on page 61), you can activate/deactivate the Coveo .NET searchbox independently for each SharePoint site.

Note: SharePoint 2016/2013/2010/2007 offers a mechanism, called DelegateControl that allows administratorsto replace controls displayed in SharePoint pages. The Microsoft search box and scope selector are in the sameDelegateControl called SmallSearchInputBox. The Coveo installer deploys a feature calledCoveoSearchBox to replace the Microsoft controls in the SmallSearchInputBox.

To activate or deactivate theCoveo .NET search box in a SharePoint 2013 and 2016 site

1. Using a browser, access the SharePoint site into which you want to change the state of the Coveo search box.

Note: You can activate the Coveo Search Box feature on any of the four SharePoint levels (Farm, WebApp,SiteCollection, and Site). Ensure to activate the Coveo search box everywhere you want it to replace theMicrosoft default search boxes.

Example: Activate the Coveo search box feature at the Farm level, to activate it all over your SharePointinstallation.

2. On the Gear menu, select Site Settings.

4www.coveo.com 67



3. In the page that appears, under Site Collection Administration, click Site collection features.

4. In the Site Settings > Site Collection Features page, locate Coveo Site Collection Search, and then clickActivate or Deactivate on the corresponding line.

To activate or deactivate theCoveo search box in a SharePoint 2010 site

1. Using a browser, access the SharePoint site into which you want to change the state of the Coveo search box.

Note: You can activate the Coveo Search Box feature on any of the four SharePoint levels (Farm, WebApp,SiteCollection, and Site). Ensure to activate the Coveo search box everywhere you want it to replace theMicrosoft default search boxes.

Example: Activate the Coveo search box feature at the Farm level, to activate it all over your SharePointinstallation.

2. On the Site Actions menu, select Site Settings.

3. In the Site Settings page, under Site Collection Administration, click Site collection features.

4. In the Site Collection Administration > Features page, locate Coveo Site Collection Search, and then click

4www.coveo.com 68



the Activate or Deactivate button on the corresponding line.

6.2 Adding the Microsoft SQL Server System Administrators RoleThe CES administrative account must be a member of the Microsoft SQL Server system administrators server rolewhen you want to install the Coveo SharePoint web service (see "Installing the Coveo Web Service, Search Box,and Search Interface into SharePoint" on page 61).

The procedure applies to Microsoft SQL Server 2008, 2005, and 2000 but varies depending on the SQL Serverversion:

l "Microsoft SQL Server 2008 and 2005" on page 69

l "Microsoft SQL Server 2000" on page 70

6.2.1Microsoft SQLServer 2008 and 2005

1. Access SQL Server Management Studio (Windows Start menu > All Programs > Microsoft SQL Server2008 or Microsoft SQL Server 2005).

2. In the panel on the left, expand localhost > Security, and then click the Logins node.

3. When the login for the CES administrative account already exists, double-click it. Otherwise, right-click Logins,and then click New Login.

4. In the Login - New dialog box:

a. In the Login Name box, enter the CES administrative account.

b. In the panel on the left, click Server Roles.

4www.coveo.com 69



c. In the panel on the right, in the Server roles list, select sysadmin.

d. Click OK.

6.2.2Microsoft SQLServer 2000

1. Access SQL Server Enterprise Manager (Windows Start menu > All Programs > Microsoft SQL Server).

2. In the panel on the left, expand Microsoft SQL Servers > SQL Server Group > [your server group] > Security.

3. Click the Logins node.


5. In the SQL Server Login Properties - New Login dialog box:

a. In the Login Name box, enter the CES administrative account.

b. Click the Server Roles tab.

4www.coveo.com 70



c. In the Server Role list, select System Administrators.

d. Click OK.

6.3 Adding the Database Owner Role for Microsoft SQL ServerYou need to add the CES administrative account to the database owner role for Microsoft SQL Server when youwant to install the Coveo SharePoint web service (see "Installing the Coveo Web Service, Search Box, and SearchInterface into SharePoint" on page 61).

The procedure applies to Microsoft SQL Server 2008, 2005, and 2000, but varies depending on the SQL Serverversion:

l "Microsoft SQL Server 2008/2005" on page 71

l "Microsoft SQL Server 2000" on page 73

6.3.1Microsoft SQLServer 2008/2005

1. Access SQL Server Management Studio (Windows Start menu > All Programs > Microsoft SQL Server2008 or Microsoft SQL Server 2005).

2. Connect to the appropriate database.

4www.coveo.com 71



3. In the panel on the left, expand localhost > Security > Logins.


5. In the Login - New dialog box:

a. In the Login Name box, type the CES administrative account.

b. In the panel on the left, click User Mapping.

c. In the panel on the right:

i. In the Users mapped to this login list, in the Map column, select the check box for the database towhich you want to assign the owner role to the CES administrative account.

ii. In the Database role membership for list, select db_owner.

d. Click OK.

4www.coveo.com 72



6.3.2Microsoft SQLServer 2000

1. Access SQL Server Enterprise Manager (Windows Start menu > All Programs > Microsoft SQL Server).

2. In the panel on the left, expand Microsoft SQL Servers > SQL Server Group > [your server group] > Security.

3. Click the Logins node.


5. In the SQL Server Login Properties - New Login dialog box:

a. In the Login Name box, type the CES administrative account.

b. Click the Database Access tab.

c. In the list at the top, in the Permit column, select the check box for the database to which you want toassign the owner role for the CES administrative account.

d. In the Permit in Database Role list, select db_owner.

e. Click OK.

4www.coveo.com 73



6.4 Coveo .NET Front-End First Time SetupWhen you install the Coveo .NET Front-End components for the first time on a server, the installer automaticallyaccesses the search page at the end of the installation process. The Front-End Server Configuration web pageappears to allow you to complete the Front-End first time setup.

As a Coveo administrator, you can also access the Front-End Server Configuration page again later from the .NETsearch interface Domore menu.

Notes:

l In some cases, such as with Claims authentication, the Domore menu Configure Front-End item does notappear even when you are an administrator. In such a case, you can access the Front-End ServerConfiguration page directly using the page URL in the form:

http://[MyCoveoFrontEndServer]:8080/Coveo/FirstTimeSetup/default.aspx

or when the search page is integrated in SharePoint:

http://[MySharePointServer]/_layouts/Coveo/FirstTimeSetup/

l The URL used to access the Front-End Server Configuration page is also used to automatically set the pre-loading URL on the Back-End server. The pre-loading URL is used to warm up the Front-End search page,eliminating longer loading time for end-users.

When the Front-End and Back-End components are installed on separate servers, if you can, use a searchURL that the Back-End server can resolve to access the Front-End Server Configuration page and correctlyset the pre-loading URL.

Example: Use http://MyCoveoSearchServer:8080 rather than http://localhost:8080.

Otherwise, a warning message appears (Back-End and Front-End components appear to be

installed on separate servers. You may need to change the default pre-loading search

page URL from the Administration Tool in the Configuration > Pre-loading page.) .

In the Front-End Server Configuration page, you must provide administrator credentials to configure the Back-Endserver that this Front-End server uses to send queries and receive search results. You can also select or create thesearch security certificate used to secure the connection between the Front-End and Back-End processes.

Coveo .NET Front-End 12.0.49+ (September 2012) CES 7.0.4855+ (August 2012) When the Coveo searchinterface is installed on a server that uses Claims to authenticate users (such as a SharePoint server), you mustalso provide Claims parameters.

To perform theCoveo .NET Front-End first time configuration

1. In the Front-End Server Configuration page, the Front-End Server Settings section appears only when thecurrent user does not have administrator permissions on the Front-End server.

Example: The Front-End Server Settings section appears when you access the Front-End ServerConfiguration page from a Coveo .NET search interface installed on a SharePoint server that uses Claims toauthenticate users.

4www.coveo.com 74



a. In the Username and Password boxes, enter the credentials of an administrator account on the Front-Endserver to be able to save the configuration performed in this page.

b. Click Login.

2. In the Coveo Enterprise Search Server Settings section that appears:

a. In the Connection Information section:

i. In the Hostname box, enter the hostname of the Coveo Master server, where Coveo EnterpriseSearch (CES) is installed.

When the Coveo Front-End component is installed on the same server as the Coveo Master server,you can use localhost. When they are on different servers, enter the hostname of the Master server,even when you want to connect this Front-End server to a Mirror server (you will select the Mirrorserver later in this page).

ii. In the case where your Coveo Master server uses a Coveo Search Web Service other than the default(52810), expand the Advanced setting section, and in the Services Port, enter the appropriate value.

4www.coveo.com 75



Note: Do not confuse this port with the CES service port. The Front-End uses the Coveo Search WebService to get additional configuration information from the Back-End server, including theCES service port (52800 by default) that the .NET search interface will use to communicate with theserver.

iii. Click Validate server information.

When the connection is established successfully, a green indicator ( ) appears next to the button.

When the connection cannot be completed, a red indicator and message ( Invalid serverinformation) appear next to the button and an error message appears at the top of the page. In thiscase, adjust the connection information and try again.

b. In the Administrator Credentials section that appears:

i. In the Username and Password boxes, enter the credentials of a Coveo administrator account for theCoveo Master (Back-End) server.

ii. In the Provider drop-down list, select the security provider that can validate these user credentials,most likely Active Directory.

iii. Click Login.

3. Coveo .NET Front-End 12.0.1548+ (June 2016) When you want users of the search page you are configuringto be able to see content from a SharePoint server configured with Claims authentication, the Coveo.NET Front-End search page hosted outside SharePoint must authenticate each SharePoint end-userperforming queries.

In such a case, in the Claims SSO for SharePoint Settings section:

a. Select the Import the claims SSO configuration from the SharePoint claims identity provider setuppage check box.

4www.coveo.com 76



b. In the Claims SSO Configuration to Import box, paste the claims SSO configuration that was generated inthe SharePoint claims identity provider setup page.

4. In the Mirror Settings section:

l When your Coveo implementation does not include Mirror servers:

Select the Select a mirror option, and in the drop-down box, leave Default.

l When your Coveo implementation includes one or more Mirror servers:

You can decide to which Mirror server this Front-End server sends queries.

Example:When you want to free the Master server from handling the queries, you can rather connect theFront-End to a Mirror server.

Tip:When you have two or more Coveo Front-End servers, you can later set them up in a network load-balancing cluster.

o Select the Select a mirror option, and in the drop-down box, select the mirror to which you want thisFront-End server to send the queries.

OR

a. When you configured your Mirror server to use a CES service port other than the default (52800),select the Configure mirror manually option.

b. In the Mirror Hostname box, enter the Mirror hostname, otherwise, enter the same machine name asin Hostname.

c. In the Mirror Port box, enter the port that your Mirror server uses.

5. When the Coveo .NET search page is installed on a server such as SharePoint that uses Claims toauthenticate users or when the Claims SSO for SharePoint is enabled, in the Claims-Based AuthenticationSettings section that appears:

4www.coveo.com 77



a. Coveo .NET Front-End 12.0.1633+ (September 2016) In the Claims Security Provider drop-down lists,select the claims security providers that you created for these Claims-based Front-End servers.

Note: Coveo .NET Front-End 12.0.1548– (June 2016) Only one Claims Security Provider is supportedfor your Claims-based Front-End servers.

Example: You could index content from a Claims-based on-premises SharePoint server and also fromSharePoint Online. You need to create one Claims security provider for each of these SharePointinstances.

Note: The following message appears when no Claims security provider is available:

A Claims Security Provider is required, add one with the Administration Tool.

b. In the Active Directory Security Provider drop-down list, select the Active Directory security provider touse.

c. In the Claim type holding Active Directory users list, the first claim is automatically selected, typically inthe DOMAIN\username form, and is generally the best choice. Consider selecting another claim when thefirst one does not work.

4www.coveo.com 78



Note: Coveo .NET Front-End 12.0.1459– (March 2016) With previous versions, the Claim type holdingActive Directory users list provided many more claims to select from.

l When you want end-users to be able to search for documents from other sources that were crawledin an Active Directory environment, select the Claim Type to use to resolve an Active Directoryidentity from a Claims identity. You must select a Claim Type that has a Claim Value Example in theMyDomain\UserName or [email protected] form. Only the Claim Type is saved and used toget the Claim Value for each user when they perform queries.

l When end-users can only search for Claims protected documents, you can select (None).

6. In the Search Certificate Settings section that appears:

a. For Select or create the search certificate to use to be trusted when communicating with the Back-End server select one of the following options:

Use the default certificate

The default certificate trusts everyone that has access to the .NET search interface and the Front-Endserver can be any machine (any IP address).

Use an existing certificate

When you already created one or more search security certificates on the Back-End server, select thedesired certificate in the list that appears.

4www.coveo.com 79



Create a new certificate

Use this option to create a certificate to trust only specific users and/or groups and trust only serverswith specific IP addresses.

b. When you select Create a new certificate, use the parameters that appear to build the certificate:

i. In the Name box, enter a name for your new search security certificate.

ii. In the Trusted Users/Groups section, optionally define the trusted users:

A. Select Specific user and/or groups when you want this certificate to trust only specific users.

B. In the Name box, enter the name of a user or group to be trusted.

C. In the Type drop-down list, select if the name is for a user or group.

D. In the Provided drop-down list, select the security provider in which this user or group is defined.

E. Click Add.

4www.coveo.com 80



The specified user or group appears in the list.

F. When you want to add other trusted users or groups, repeat the previous steps.

iii. In the Trusted Front-End Servers section, define the IP address for one or more Front-End servers tobe trusted by the Back-End server:

A. Select Specific IP addresses when you want this certificate to trust only specific machines.

B. In the IP address box, enter an IP address to be trusted.

C. Click Add.

The specified IP address appears in the list.

D. When you want to add other trusted Front-End servers, repeat the previous steps.

7. In the Search Analytics Settings section, you can optionally configure this search front-end server to sendsearch usage information to an on-premises database and/or to the Coveo Usage Analytics cloud service tolater be able to review search usage data:

Notes:

l Coveo .NET Front-End 12.0.1548+ (June 2016) .NET Framework 4.5 is required on the Coveo Front-Endserver to push information to the Coveo Usage Analytics cloud service.

l CES 7.0.7711+ (June 2015) Support for sending analytics to the Coveo Usage Analytics cloud service.

a. When you have access to a deployed on-premises Coveo Analytics module, in the On-PremisesAnalytics Module section:

i. Select the Enable check box.

ii. In the Database Connection String box, enter the connection string for the database of your Analyticsmodule.

iii. Click Test to validate the string.

b. Coveo .NET Front-End 12.0.1548+ (June 2016) When you have access to the Coveo Usage Analyticscloud service, in the Cloud Platform section:

i. Select the Enable check box.

ii. Depending on your setup, select one on the following radio button:

l In a non-NLB (Network Load Balancing) setup, select the Push usage analytics informationdirectly to the Coveo Usage Analytics cloud service radio button.

l In an NLB setup, select the Push usage analytics information directly to the Coveo UsageAnalytics cloud service radio button on one .NET Front-End server, and the Delegate pushing

4www.coveo.com 81



usage analytics information to another Coveo .NET Front-End NLB server radio button on theother(s).

Notes:

o For high-volume environments, the best practice is to set up a separate .NET Front-Endserver, outside the NLB, and whose only responsibility is to push events to the cloudservice.

o The URI of the Front-End(s) on which the Delegate pushing usage analytics informationto another Coveo .NET Front-End NLB server radio button is selected should point to theFront-End that pushes the events to the cloud service.

iii. Depending on the radio button you select:

l When you select the Push usage analytics information directly to the Coveo Usage Analyticscloud service radio button, in the API Key box, enter the API key to be used to call the UsageAnalytics REST endpoint, and then click Test to validate the endpoint.

Note: Contact Coveo Support to get an API key.

l When you select the Delegate pushing usage analytics information to another Coveo .NETFront-End NLB server radio button, in the box, enter the URL of the Coveo .NET Front-End todelegate pushing usage analytics information to in the following form:

http://[CoveoFrontEndServer]:8080/PushCloudAnalyticsInfo.aspx

8. Click Apply Settings.

9. Enable the Front-End that pushes UA information to the Coveo Usage Analytics cloud service to log errors in afolder of your choice:

Note: Error logs are a good starting point when investigating problems.

a. Using a text editor, open the Web.config file (by default C:\Program Files\Coveo .NET Front-End

12\Web.config).

b. In the file, add the logFolder parameter (in red) in the analytics section as follows:

<analytics enabled="False" connectionString="Data Source=yourServerName;Initial

Catalog=CoveoAnalytics;Integrated Security=SSPI;" cloudEnabled="True" logFolder="D:\

[folderPath]" platformEndpoint=""

analyticsEndpoint="https://usageanalyticsdev.coveo.com/rest/v13" accessToken="YOURACCESSTOKEN"

analyticsCloudDelegateUri="http://YOURHOSTNAME:8080/PushCloudAnalyticsInfo.aspx"

analyticsCloudDelegateEnabled="False" />

The first time setup is completed and the default .NET search interface appears.

4www.coveo.com 82




What'sNext?

You can now customize or create search hubs and .NET search interfaces using the .NET Interface Editor.

4www.coveo.com 83



7. Creating a Claims Security Provider for an On-PremisesSharePointCES 7.0.5031+ (March 2013)

When indexing content from a SharePoint Web Application using Claims-based authentication, the default inSharePoint 2013, you must create a Claims security provider to allow authenticated users to search for documentssecured using Claims permissions. Without such a security provider, no results would be returned.

The role of the Claims security provider is to authenticate users in SharePoint and to retrieve the list of Claimsassociated to each user. Knowing the Claims of a user, the Coveo index can return the search results this user isentitled to see according to the permissions that were indexed on SharePoint documents.

In order to be authenticated by the Claims security provider, a user must log in to the Coveo search interface usinghis SharePoint credentials. The Claims security provider can authenticate users in SharePoint using a Windowsidentity or an identity provided by an Active Directory Federation Services (ADFS) server.

Notes:

l Coveo .NET Front-End version 12.0.99+ (March 2013 monthly release) is required to display search resultswith Claims permissions.

l The SharePoint, SharePoint Legacy and OneDrive for Business (CES 7.0.8047+ (December 2015))connectors can use the Claims for SharePoint On-premises security provider type.

l You can get familiar with how Coveo components deal with permissions on documents both at indexing andquery time.

To create aClaims security provider for an on-premisesSharePoint

1. On the Coveo server, access the Administration Tool.

2. In the Administration Tool, select Configuration > Security.

3. In the navigation panel on the left, select Security Providers.

4. In the Security Providers page, click Add.

5. In the Modify Security Provider…:

4www.coveo.com 84



a. In the Name box, enter a descriptive name of your choice for this security provider instance.

b. In the Security Provider Type drop down, select Claims for SharePoint On-premises.

c. In the User Identity drop-down list:

l In the case of an ADFS environment, when you select theWeb Application supports AD FS ClaimsAuthentication check box (see below) and a claims-aware Coveo Search is used (see "Configuringthe Claims-Aware Coveo Search Application" on page 149), select a user identity of any Windowsaccount that can be used to authenticate to ADFS.

l Otherwise, select the user identity that you created for the Microsoft SharePoint farm.

d. In the SharePoint Web Application Url box, enter the URL of the SharePoint Web Application using

4www.coveo.com 85



Claims-based authentication where the secured content to index is located.

e. In the Temporary path for the cache of User Claims box, you must enter the path where the temporarycache of user Claims is saved.

f. Select theWeb Application supports NTLM Claims Authentication and/orWeb Application supportsAD FS Claims Authentication check boxes, according to the Claims authentication type that is enabled forthe SharePoint web application (see "Finding the Enabled Claims Authentication Type for a SharePointWeb Application" on page 88).

Important:When using ADFS Claims Authentication, you need to make sure your ADFS environmentmeets the requirement for the Claims security provider (see "ADFS Server Requirements for a ClaimsSecurity Provider" on page 92).

Notes:

l The Claims security provider can simultaneously support more than one Claims authentication typeenabled for a Web Application.

l SelectWeb Application supports NTLM Claims Authentication for Windows authentication withNTLM or Kerberos.

g. CES 7.0.5556+ (June 2013) The following parameters are required only when theWeb Applicationsupports AD FS Claims Authentication check box is selected:

i. In the Url of the SharePoint AD FS Server box, enter the URL of the ADFS server which is trusted bySharePoint.

Note: If your SharePoint instance uses Okta as a single sign-on provider, leave this box empty (seeOkta Single Sign-On Provider for SharePoint On-Premises).

ii. In the Trust Identifier for SharePoint box, enter the Relying Party Trust identifier for the SharePointweb application (see "Finding the Relying Party Trust Identifier for a SharePoint Web Application" onpage 93).

Note: If your SharePoint instance uses Okta as a single sign-on provider, leave this box empty (seeOkta Single Sign-On Provider for SharePoint On-Premises).

h. CES 7.0.5556+ (June 2013) The following parameters are required only when theWeb Applicationsupports AD FS Claims Authentication check box is selected and multiple ADFS servers are used toauthenticate users in SharePoint:

i. In the Url of the Identity Provider AD FS Server box, enter the URL of the ADFS server which is usedas an Identity Provider for the ADFS server trusted by SharePoint.

ii. In the Trust Identifier for the SharePoint AD FS Server box, enter the Relying Party Trust identifierfor the SharePoint ADFS server (see "Finding the Relying Party Trust Identifier for a SharePoint ADFSserver" on page 94).

i. CES 7.0.5785+ (August 2013) When theWeb Application supports AD FS Claims Authentication checkbox is selected and a claims-aware Coveo Search is used (see "Configuring the Claims-Aware Coveo

4www.coveo.com 86



Search Application" on page 149), in the Bootstrap Token Signing Certificate (.cer) box, enter the pathon the Coveo Master server where you saved the certificate used by ADFS to sign requests from theclaims-aware Coveo search. If the requests are not signed by ADFS, leave this parameter empty. If therequests are not signed by ADFS, leave this parameter empty.

j. In the Claim Type for User Names box, enter the type of Claim that should be used to uniquely identifyusers. Leave the default value(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) unless CoveoSupport recommends to change the value.

k. In the Claim Type(s) to Ignore box, enter the type(s) of Claims that should be ignored by the securityprovider to prevent polluting the security cache with unnecessary claims.

Some of the Claims that are retrieved by the security provider when authenticating users in SharePoint cansafely be ignored. These are usually Claims that are reserved for internal use by SharePoint and thatcannot be used to set permissions on documents.

Example: SharePoint assigns to every user a Claim that identifies the last time the user wasauthenticated. The value of this Claim is a timestamp, which has no value regarding documentpermissions and cannot be selected in the SharePoint people picker.

l. CES 7.0.9167+ (December 2017) Select the Expand user's Granted Identities before first query checkbox to evaluate users' granted identities before they perform their first query.

Note:When selected, results are returned following a user's first query. When cleared, results appearsonly after the user performs a second query or after the user's granted identities are expanded.

m. In the Authentication Cookies Sliding Session Expiration Time (in days) box, enter the time interval, indays, during which the Claims of a user authenticated by the Claims security provider remains valid.Values smaller than one day are accepted (ex.: 0.5). The default is 1 day.

n. Next to Parameters, when instructed to do so by Coveo Support, click Add Parameter to add an hiddenparameter by entering the parameter Name and Value.

Note: CES 7.0.6830+ (July 2014) The parameter ClaimsMaximumSize is used to set the maximumallowed size for a single Claims identity. The default value is 12288 (12 KB). A message similar to thefollowing one appears in the CES Console and logs typically when a user with claims exceeding this limitlogged in or performed a query:

The security provider "Claims" has encountered an exception: class

CSP::SecurityException: The user 'user_name here' contains too much claims and

will be rejected.

When this condition occurs, the search results that are secured by Claims permissions are not returnedfor the query.

o. Ensure that the Allow Complex Identities option is selected.

A Claims security provider may need additional parameters when you create identities. You can specifythese additional parameters only when the Allow Complex Identities option is selected.

p. Click Save or Apply Changes.

4www.coveo.com 87





What'sNext?

Create a SharePoint security provider that will use this Claims security provider.

7.1 Finding the Enabled Claims Authentication Type for a SharePoint WebApplicationYou may need to identify the Claims authentication type that is enabled for a SharePoint Web Application when youcreate a security provider.

To find the enabledClaims authentication type in a SharePoint 2013/2010WebApplication


2. In SharePoint 2013/2010 Central Administration, under Application Management, selectManage webapplications.

3. Select the Web Application for which you want to find the Claims authentication type, and then clickAuthentication Providers.

4. Click on the name of the Zone using Claims Based Authentication.

5. Scroll down to the Claims Authentication Types section.

7.2 Finding and Enabling the ADFS Service Endpoint URL PathYou may need to find and ensure that the Active Directory Federation Services (ADFS) service endpoint URL pathis enabled when you create a Claims security provider.

To find and enable the ADFS service endpoint URL path

1. Access AD FS 2.0 Management Console (Windows Start menu > All Programs > Administrative Tools >AD FS 2.0 Management).

2. In AD FS 2.0 Management Console, under Services, select Endpoints.

3. Find the endpoint by looking at the Url Path column.

4. When the endpoint is disabled, right-click it, and then select Enable.

4www.coveo.com 88



8. Creating a Claims Security Provider for SharePoint OnlineCES 7.0.5031+ (March 2013)

When indexing content from a SharePoint Online Web Application using Claims-based authentication, you mustcreate a Claims security provider to allow authenticated users to search for documents secured using Claimspermissions. Without such a security provider, no results would be returned.

The role of the Claims security provider is to authenticate users in SharePoint Online to retrieve the list of Claimsassociated to each user. Knowing the Claims of a user, the Coveo Search can display the search results this user isentitled to see according to the permissions that were indexed on SharePoint documents.

In order to be authenticated by the Claims security provider, a user must log in to the Coveo search interface usinghis SharePoint Online credentials. The Claims security provider can authenticate users in SharePoint Online usinga native Office 365 identity or an identity provided by an ADFS server if Single Sign-On is enabled in SharePointOnline.

Notes:

l Coveo .NET Front-End version 12.0.99+ (March 2013 monthly release) is required to display search resultswith Claims permissions.

l The SharePoint, SharePoint Legacy and OneDrive for Business (CES 7.0.8047+ (December 2015))connectors can use the Claims for SharePoint Online security provider type.


To create aClaims security provider for SharePoint Online





5. In the Modify Security Providers page:

4www.coveo.com 89




b. In the Security Provider Type drop down, select Claims for SharePoint Online.

c. In the User Identity drop-down list:

l When a claims-aware Coveo Search is used (see "Configuring the Claims-Aware Coveo SearchApplication" on page 149), select a user identity of any Windows account that can be used toauthenticate to ADFS.

l Otherwise, select the user identity that you created with an Office 365 account.

d. In the SharePoint Web Application Url box, enter the URL of the SharePoint Online Web Applicationwhere the secured content to index is located.

e. In the Temporary path for the cache of User Claims box, you must enter the path where the temporarycache of user Claims is saved.

f. In the Office 365 Native Users Domain(s) box, enter the domain name that was created with your Office

4www.coveo.com 90



365 account. The domain name to enter here must be the native domain created by Microsoft OnlineServices, which is different from a private domain owned by your company (see "Finding Your Office 365Native Domain Name" on page 93).

Note: You can enter more than one Office 365 domain, separating values by a comma.

g. Select the Single Sign-On (AD FS) is enabled check box when Active Directory synchronization isactivated in Office 365 and synchronized user accounts are used to log in to SharePoint Online.

Important:When using ADFS Claims Authentication, you need to make sure your ADFS environmentmeets the requirement for the Claims security provider (see "ADFS Server Requirements for a ClaimsSecurity Provider" on page 92).

CES 7.0.5556+ (June 2013) The following parameters are required only when the Single Sign-On (AD FS)is enabled check box is selected:

i. In the Url of the SharePoint AD FS Server box, enter the URL of the ADFS server which is trusted bySharePoint.

Example: https://adfs.mydomain.com

Note: CES 7.0.6684+ (May 2014) The SharePoint connector supports indexing SharePoint onlineconfigured with Okta.

In this case, in the Url of the SharePoint AD FS Server box, enter the full path to your SharePointOnline ActiveClientSignInUrl that should be in the form:

https://acme.okta.com/app/office365/abcdefghGWUMNWLWYGXF/sso/wsfed/active

You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the sign on instructionsof the Microsoft Office 365 application:

i. With an administrator account, log in into Okta.

ii. In the top menu, click Admin.

iii. In the administration panel, select Applications > Applications.

iv. In the Applications page, click Microsoft Office 365.

v. In the Microsoft Office 365 page, select the Sign On tab.

vi. In the Sign On tab, under Sign On Methods section, click View Setup Instructions.

vii. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

Ensure that you also set this ActiveClientSignInUrl for the SharePoint Security provider and theSharePoint source.

ii. In the Trust Identifier for SharePoint box, enter the Relying Party Trust identifier for the SharePointweb application (see "Finding the Relying Party Trust Identifier for a SharePoint Web Application" onpage 93).

h. CES 7.0.5556+ (June 2013) The following parameters are required only when multiple ADFS servers are

4www.coveo.com 91


https://www.okta.com/


used to authenticate users in SharePoint:

i. In the Url of the Identity Provider AD FS Server box, enter the URL of the ADFS server which is usedas an Identity Provider for the ADFS server trusted by SharePoint.

ii. In the Trust Identifier for the SharePoint AD FS Server box, enter the Relying Party Trust identifierfor the SharePoint ADFS server (see "Finding the Relying Party Trust Identifier for a SharePoint ADFSserver" on page 94).

i. When the Single Sign-On (AD FS) is enabled check box is selected and a claims-aware Coveo Search isused (see "Configuring the Claims-Aware Coveo Search Application" on page 149), in the BootstrapToken Signing Certificate (.cer) box, enter the path on the Coveo Master server where you saved thecertificate used by ADFS to sign requests from the claims-aware Coveo search. If the requests are notsigned by ADFS, leave this parameter empty.

j. In the Authentication Cookies Sliding Session Expiration Time (in days) box, enter the time interval, indays, during which the Claims of a user authenticated by the Claims security provider remains valid.Values smaller than one day are accepted (ex.: 0.5).

k. Next to Parameters, when instructed to do so by Coveo Support, click Add Parameter to add an hiddenparameter by entering the parameter Name and Value.

Note: CES 7.0.6830+ (July 2014) The parameter ClaimsMaximumSize is used to set the maximumallowed size for a single Claims identity. The default value is 12288 (12 KB). A message similar to thefollowing one appears in the CES Console and logs typically when a user with claims exceeding this limitlogged in or performed a query:

The security provider "Claims" has encountered an exception: class

CSP::SecurityException: The user 'user_name here' contains too much claims and

will be rejected.

When this condition occurs, the search results that are secured by Claims permissions are not returnedfor the query.

l. Ensure that the Allow Complex Identities option is selected.

A Claims security provider may need additional parameters when you create identities. You can specifythese additional parameters only when the Allow Complex Identities option is selected.

m. Click Save.

What'sNext?

Create an Office 365 security provider that will use this Claims security provider (see "Creating an Office 365Security Provider for SharePoint Online" on page 102).

8.1 ADFS Server Requirements for a Claims Security ProviderSharePoint can use ADFS as a trusted identity provider. Your ADFS environment must meet the followingrequirements to allow the Coveo Claims security provider to authenticate users in SharePoint.

4www.coveo.com 92



For single ADFS server environments

l SharePoint ADFS server endpoint

The following ADFS service endpoint must be enabled on your ADFS server (see "Finding and Enabling theADFS Service Endpoint URL Path" on page 88):

/adfs/services/trust/2005/usernamemixed

For multiple ADFS server environments

l SharePoint ADFS server endpoint

The following ADFS service endpoint must be enabled on the ADFS server which is trusted by SharePoint (see"Finding and Enabling the ADFS Service Endpoint URL Path" on page 88):

/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256

l Identity Provider ADFS server endpoint

The following ADFS service endpoint must be enabled on the ADFS server which is trusted by SharePointADFS server (see "Finding and Enabling the ADFS Service Endpoint URL Path" on page 88):

/adfs/services/trust/2005/usernamemixed

8.2 Finding Your Office 365 Native Domain NameYou may need to find the native domain name associated with your Office 365 account when you create aSharePoint Online security provider.

To find the native domain name associatedwith your Office 365 account

1. Log on to the Microsoft Office 365 Online Portal using an administrative account.

2. Under Management, click on Domains.

3. The native domain should be listed with a name ending with .onmicrosoft.com.

8.3 Finding the Relying Party Trust Identifier for a SharePoint Web ApplicationYou may need to find the Relying Party Trust identifier for your SharePoint Web Application when you create aClaims security provider.

To find theRelying Party Trust identifier for your SharePointWebApplication

1. Access AD FS 2.0 Management Console (Windows Start menu > All Programs > Administrative Tools >AD FS 2.0 Management).

2. In AD FS 2.0 Management Console, under Trust Relationships, select Relying Party Trusts.

3. In the Relying Party Trusts list:

4www.coveo.com 93


https://portal.microsoftonline.com/


l For an on-premises SharePoint, find the line for SharePoint. The ADFS Relying Party Identifier will be thevalue in the Identifier column.

l For SharePoint Online, the ADFS Relying Party Identifier is typicallyurn:federation:MicrosoftOnline, but you can validate it as follows:

a. Right-click the Microsoft Office 365 Identity Platform line, and then select Properties.

b. In the Microsoft Office 365 Identity Platform Properties dialog box, select the Identifiers tab.

c. In the Relying party identifiers list, the ADFS Relying Party Identifier is the one starting with urn:,such as urn:federation:MicrosoftOnline.

8.4 Finding the Relying Party Trust Identifier for a SharePoint ADFS serverYou may need to find the Relying Party Trust identifier for your SharePoint ADFS server when you create a Claimssecurity provider.

Some federation environments use multiple ADFS servers to authenticate users in SharePoint. In theseenvironments, a trust is established between SharePoint and an ADFS server, and another trust between this ADFSserver and another ADFS server. Configurations using multiple ADFS servers can be used, for example, whenfederating users from different Active Directory domains.

4www.coveo.com 94



In order for the Claims security provider to be able to authenticate to SharePoint web applications using such aconfiguration, information from both ADFS servers is required.

To find theRelying Party Trust identifier for your SharePoint ADFS server

1. Log on to the ADFS server which is trusted by the SharePoint ADFS server.

2. Access AD FS 2.0 Management Console (Windows Start menu > All Programs > Administrative Tools >AD FS 2.0 Management.

3. In AD FS 2.0 Management Console, under Trust Relationships, select Relying Party Trusts.

4. In the list of trusts displayed, find the trust for the ADFS server which is trusted by SharePoint. The ADFSRelying Party Identifier will be the value in the Identifier column.

4www.coveo.com 95



9. Creating a Claims to Email Security Provider forSharePoint OnlineCES 7.0.7433+ (February 2015)

You can get SharePoint Online users (native and federated) and Office 365 groups expanded to email users. Aclaims-based identity includes an email that the Claims to Email for SharePoint Online security provider extracts toresolve the identity of the user.

This security provider is useful either when you want to convert a claims identity to an email identity, or when yousimply did not want to use a claims identity. The only requirement for the claims to email conversion to work is thatthe email your users enter to log in to SharePoint Online must match the email they use when logging into yourCoveo search interface. The Claims to Email for SharePoint Online security provider was specifically designed forcloud environments where the identity is neither Claims nor Active Directory.

Notes:

l The SharePoint, SharePoint Legacy, and OneDrive for Business (CES 7.0.8047+ (December 2015))connectors can use the Claims to Email for SharePoint security provider type.


To create aClaims to Email security provider for SharePoint Online






4www.coveo.com 96




b. In the Security Provider Type drop down, select Claims to Email Security Provider for SharePointOnline.

c. In the User Identity drop-down list, select the user identity that you created to crawl your SharePointOnline.

d. In the Security Provider section:

i. In the drop-down list, select the provider that recognizes your users by their email addresses or activedirectory accounts (see "Configuring an Email Security Provider" on page 98 or Configuring an ActiveDirectory Security Provider).

Notes:

l Blocked users (admin Office 365, active users, settings, sign-in status) are not expanded toemail users.

l The list of following SharePoint well-known claims are expanded to email users:

o c:0(.s|true (everyone)

o c:0-.f|rolemanager|spo-grid-all-users (everyone but external)

o c:0!.s|forms%3amembership [all federated (sync) and native (cloud) users]

4www.coveo.com 97



ii. When needed, click Add, Edit, or Manage security providers respectively to create, modify, ormanage email or active directory security providers.

e. In theWindows Azure Active Directory Module for Windows PowerShell box, ensure that theMSOnline.psd1 file is available at the default location(C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\MSOnline.psd1) on yourCoveo Master server following the installation of the Windows Azure AD Module installation (see"Installing the Windows Azure AD Module for Windows PowerShell" on page 101). Change the path ifneeded.

Notes:

l Windows PowerShell is used to retrieve Office 365 users and domains.

l The default value should be the right value, but make sure the referenced module is installed and islocated at this path.

f. Ensure that the Allow Complex Identities option is selected.

g. Click Save.

h. This security provider must be selected in the Security Provider for SharePoint Users parameter of theSharePoint security provider set on your SharePoint or OneDrive for Business source.

What'sNext?

Create an Office 365 security provider that will use this Claims to Email security provider (see "Creating an Office365 Security Provider for SharePoint Online" on page 102).

9.1 Configuring an Email Security ProviderAn Email security provider is a simple email user identity container that can be used by another security provider torecognize users by their email addresses. When used by more than one security providers attached to sources ofvarious types, an email security provider can act as a single sign-on system. An Email security provider does notconnect to any system so it does not need a user identity.

Note: You can get familiar with how Coveo components deal with permissions on documents both at indexingand query time.

To configure anEmail security provider


2. On the menu, select Configuration > Security.


4. In the Security - Security Providers page, click Add.

5. In the Modify Security Provider page:

4www.coveo.com 98



a. In the Name box, enter a name of your choice for your Email security provider.

b. In the Security Provider Type list, select Email.

Note: CES 7.0.5785 to 7.0.5935 (August to September 2013) The Email security provider DLL file ismissing in the CES distribution so you will not see the Email option in the Security Provider Type list.

To resolve this issue:

i. Contact Coveo Support to get a copy of theCoveo.CES.CustomCrawlers.EmailSecurityProvider.dll file.

ii. When you receive the file, using an administrator account, connect to the Coveo Master server, andthen copy the file to the [CES_Path]\bin folder.

iii. When your Coveo instance includes a Mirror server, also copy the file to the [CES_Path]\bin folderon the Coveo Mirror server.

iv. Restart the CES service so that the new DLL is recognized.

c. In the User Identity list, leave (none).

d. CES 7.0.7814+ (August 2015) (Optional) In the Security Provider list, select another security provider tomap Email identities to another identity type.

4www.coveo.com 99




Example: You want to map Email identities to Active Directory (AD) ones so you select an LDAP Lookupsecurity provider that is chained to an AD security provider. The LDAP Lookup security provider is thenable to find a user in AD from his email and extracts his User Principal Name (UPN), thus allowing amapping of the Email identity to an AD one. Contact Coveo Support for assistance on how to create anLDAP Lookup security provider.

e. Leave the Allow Complex Identities option cleared as it does not apply to this type of security provider.

f. Click Apply Changes.

What'sNext?

Configure a security provider that will use this Email security provider.

4www.coveo.com 100




10. Installing theWindows Azure ADModule for WindowsPowerShellThe Windows Azure Active Directory Module for Windows PowerShell cmdlets can be used to accomplish manyWindows Azure AD tenant-based administrative tasks such as user management, domain management and forconfiguring single sign-on (see Manage Azure AD using Windows PowerShell).

The Coveo Office 365 security provider needed by the SharePoint connector when indexing SharePoint Onlinecontent uses the Get-MsolGroupMember cmdlet to list users and groups that are members of a specific Office 365security group (see Get-MsolGroupMember). In this case, you must install theWindows Azure Active DirectoryModule on your Coveo Master server.

To install theWindowsAzure ADModule forWindowsPowerShell

1. Using an administrator account, connect to the Coveo Master server.

2. Referring to the Microsoft documentation:

a. Ensure that your Coveo Master server meets the following Windows Azure AD Module for WindowsPowerShell requirements:

l Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012.

l Microsoft .NET Framework 3.51 feature.

b. Download and install the appropriate Microsoft Online Services Sign-In Assistant version for youroperating system (see Microsoft Online Services Sign-In Assistant for IT Professionals RTW).

3. Install theWindows Azure Active Directory Module for Windows PowerShell (see Install the Windows AzureAD Module).

4. Connect to Windows Azure AD by running the PowerShell command import-module MSOnline (seeConnect to Windows Azure AD).

What'sNext?

When you configure the Office 365 security provider, ensure that theC:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\MSOnline.psd1 file is available onthe Coveo Master server and referenced in theWindows Azure Active Directory Module for Windows PowerShellparameter (see Creating an Office 365 Security Provider for SharePoint Online).

4www.coveo.com 101


http://technet.microsoft.com/en-ca/library/jj151815.aspx

http://technet.microsoft.com/en-us/library/dn194085.aspx

https://www.microsoft.com/en-us/download/details.aspx?id=41950

http://download.microsoft.com/download/5/0/1/5017D39B-8E29-48C8-91A8-8D0E4968E6D4/en/msoidcli_64.msi

http://download.microsoft.com/download/5/0/1/5017D39B-8E29-48C8-91A8-8D0E4968E6D4/en/msoidcli_64.msi

http://technet.microsoft.com/en-ca/library/jj151815.aspx#BKMK_connect


11. Creating anOffice 365 Security Provider for SharePointOnlineCES 7.0.5031+ (March 2013)

Because Office 365 security groups can be used as domain groups in SharePoint Online to set documentspermissions, you must create an Office 365 security provider to allow authenticated users to search for documentssecured using SharePoint Online domain groups.

The role of the Office 365 security provider is to resolve Office 365 security groups into its list of members.

Notes:

l Coveo .NET Front-End 12.0.99+ (March 2013) Support to display search results with Claims permissions.

l The SharePoint, SharePoint Legacy, and OneDrive for Business (CES 7.0.8047+ (December 2015))connectors can use the Claims for SharePoint On-premises security provider type.


To create anOffice 365 security provider for SharePoint Online






4www.coveo.com 102



a. In the Name box, enter a descriptive name of your choice.

b. In the Security Provider Type drop down, selectOffice 365.

c. In the User Identity drop-down list, select the user identity that you created to crawl your SharePointOnline.

d. In the Users Security Provider drop-down list, select the Claims Security Provider for SharePoint Onlineor the Claims to Email Security Provider for SharePoint Online that you previously created (CES 7.0.7433+ (February2015)) (see "Creating a Claims Security Provider for SharePoint Online" on page 89 and Creating aClaims to Email Security Provider for SharePoint Online).

e. In theWindows Azure Active Directory Module for Windows PowerShell box, ensure that theMSOnline.psd1 file is available at the default location(C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\MSOnline.psd1) on yourCoveo Master server following the installation of the Windows Azure AD Module installation (see"Installing the Windows Azure AD Module for Windows PowerShell" on page 101). Change the path ifneeded.

Note: You need to install the Windows Azure AD Module version with the same word size (32-bit vs 64-bit) as your version of CES. If you install the 64-bit version of the Windows Azure AD Module and run the32-bit version of CES, when the connector requires the module, Windows will silently attempt to load the32-bit version of the AD module, even if you specified the path for the 64-bit version.

f. Leave the Allow Complex Identities option cleared as it does not apply to this type of security provider.

g. Click Save.

4www.coveo.com 103



What'sNext?

Create a SharePoint security provider that will use this Claims security provider.

4www.coveo.com 104



12. Creating a SharePoint Security ProviderSharePoint and OneDrive for Business (CES 7.0.8047+ (December 2015)) sources need a SharePoint securityprovider to resolve permissions found on documents in the unified index. These permissions can either beSharePoint groups, users, or domain groups. Of these three types of permissions, only SharePoint groups areactually processed by the SharePoint security provider. Users and domain groups are simply forwarded to othersecurity providers for processing.

The other types of security providers required to process users and domain groups vary according to theSharePoint environment being indexed, more precisely, according to the type of authentication provider (ClassicWindows, Claims-Based) used by the Web Application, and the SharePoint server version (2013 or 2010 on-premises, or Online).

Notes:

l CES 7.0.6830+ (July 2014) The SharePoint security provider type is for the second-generation SharePointand the OneDrive for Business connectors. When you are still using the original SharePoint connector tocreate your SharePoint source, ensure to rather use the SharePoint Legacy security provider type.


Tomodify or configure aSharePoint security provider


2. Select Configuration > Security.

3. In the Security page, in the navigation panel on the left, click Security Providers.


5. In the Modify Security Provider page:

4www.coveo.com 105



4www.coveo.com 106



a. In the Name box, enter a name to identify this security provider.

Example: You may want to include in the name the SharePoint version and authentication mode used bythis security provider:

SharePoint 2013 (Windows under Claims)

b. In the Security Provider Type drop-down list, select SharePoint (x64).

Note: CES 7.0.6767– (June 2014) The SharePoint (x64) type corresponds to what is now the LegacySharePoint security provider.

c. In the User Identity section:

i. In the drop-down list, select the user identity that you selected or created previously to connect to thisSharePoint Web Application.

ii. When needed, click Add, Edit, or Manage user identities respectively to create, modify, or manageuser identities.

d. In the Active Directory Security Provider drop-down list:

i. For on-premises SharePoint environments without an Okta single sign-on configuration, select thedefault Active Directory security provider

ii. For SharePoint Online environments, select (none).

iii. For on-premises SharePoint environment using an Okta single sing-on configuration, select (none).

e. In the Security Provider for SharePoint Users drop-down list, select the security provider that youcreated for your SharePoint environment.

l Classic: Select (none).

l Claims or Okta: Select your Claims security provider for an on-premises SharePoint (see "Creating aClaims Security Provider for an On-Premises SharePoint" on page 84).

l Online:

o Select your Claims security provider for SharePoint Online (see "Creating a Claims SecurityProvider for SharePoint Online" on page 89).

OR

o CES 7.0.7433+ (February 2015) Select your Claims to Email security provider for SharePointOnline (see "Creating a Claims to Email Security Provider for SharePoint Online" on page 96).

f. In the Security Provider for Domain Groups drop-down list, select the security provider that you createdfor your SharePoint environment.

l Classic: Select (none).

l Claims (on-premises) or Okta: Select (none).

4www.coveo.com 107



l Online: Select your Office 365 security provider (see "Creating an Office 365 Security Provider forSharePoint Online" on page 102).

g. In the SharePoint Server Url box, enter the following value according to your SharePoint environment:

l Classic: URL of the SharePoint Web Application where the secured content to index is located.

l Claims (on-premises) or Okta:

URL of the SharePoint Web Application to index where the Coveo SharePoint Web Service isinstalled in the form http://SharePoint_server[:WebApp_port].

Note: You can find the port of the Coveo Web Service on your SharePoint server (see How to:Identify the Port Number of a SharePoint Application).

l Online: URL of the SharePoint online site in the form https://domain.sharepoint.com/[path].

h. In the Cache expiration delay (in minutes) box, you can set the time interval at which the security providercache is refreshed. The default and recommended value is 60 minutes.

Example: You may want to significantly reduce the Cache expiration delay (in minutes) value to 1minute while you perform permission changing tests and want to ensure that this cache does notsignificantly delay the effect of your permission changes. You would set the value back to the defaultwhen your tests are completed to optimize performances.

i. In the Authentication Type box, refer to the following table to enter the authentication type valuecorresponding to your SharePoint environment and the type of User Identity that you assigned to thissecurity provider.

SharePoint environment User identity type Value to enter

Classic Windows account(SharePoint 2010 default)

WindowsClassic

Claims Windows account(SharePoint 2013 default)

WindowsUnderClaims

ADFS federated account AdfsUnderClaims

Okta Okta

Online Native Office 365 account SpOnlineNative

Single Sign-On Office 365 account SpOnlineFederated

j. Leave the AuthenticationRealmUrl box empty unless your SharePoint environment includes an onlineauthentication service on a separate server, in which case you enter the authentication server URL.

k. The following ADFS related parameters are only required when the Authentication Type is eitherAdfsUnderClaims or SpOnlineFederated.

4www.coveo.com 108


http://msdn.microsoft.com/en-us/library/hh167832(v=nav.70).aspx

http://msdn.microsoft.com/en-us/library/hh167832(v=nav.70).aspx


i. In the AdfsServerUrl box, enter the URL of the ADFS server for which a Trust is established withSharePoint.

Example: https://adfs.mydomain.com

Note: CES 7.0.6684+ (May 2014) The SharePoint connector supports indexing SharePoint onlineconfigured with Okta.

In this case, in the AdfsServerUrl box, enter the full path to your SharePoint OnlineActiveClientSignInUrl that should be in the form:


You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the sign on instructionsof the Microsoft Office 365 application:

i. With an administrator account, log in into Okta.

ii. In the top menu, click Admin.

iii. In the administration panel, select Applications > Applications.

iv. In the Applications page, click Microsoft Office 365.

v. In the Microsoft Office 365 page, select the Sign On tab.

vi. In the Sign On tab, under Sign On Methods section, click View Setup Instructions.

vii. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

Ensure that you also set this ActiveClientSignInUrl for the Claims Security provider and theSharePoint source (see Creating a Claims Security Provider for SharePoint Online).

ii. In the SharePointTrustIdentifier box, enter the Relying Party Trust identifier for the SharePoint webapplication (see "Finding the Relying Party Trust Identifier for a SharePoint Web Application" on page93).

l. The following parameters are required only when multiple ADFS servers are used to authenticate users inSharePoint:

i. In the IdentityProviderServerUrl box, enter the URL of the ADFS server which is used as an IdentityProvider for the ADFS server trusted by SharePoint.

ii. In the AdfsServerTrustIdentifier box, enter the Relying Party Trust identifier for the SharePoint ADFSserver (see "Finding the Relying Party Trust Identifier for a SharePoint ADFS server" on page 94).

Note: At this point, the proper ADFS endpoint(s) should already have been enabled on the ADFS server(s) during the configuration of the Claims security provider for SharePoint (see "ADFS ServerRequirements for a Claims Security Provider" on page 92).

m. Select the AllowBasicAuthentication option only when basic authentication is enabled on the webapplication to index and specifically want to use this authentication mode.

4www.coveo.com 109




It is recommended to use this authentication method only with a secured connection (HTTPS) because theuser name and password are passed in clear text in the URL.

n. CES 7.0.9272+ (March 2018) If your SharePoint instance uses an Okta single sign-on setup, in theOktaRealm box, enter the $realm value obtained from Okta (see Retrieve your application parameters).

Example: urn:okta:sharepoint:myid

o. CES 7.0.9272+ (March 2018) If your SharePoint instance uses an Okta single sign-on setup, in theOktaSignInUrl box, enter the $signInURL value you obtained from Okta (see Retrieve your applicationparameters).

Example: https://YOURINSTANCE.OKTA_OR_OKTAPREVIEW.com/app/sharepoint_onpremise/sso/wsfed/passive

p. In the Parameters section, in rare cases the Coveo Support could instruct you to click Add Parameters tospecify other security provider parameter names and values that could help to troubleshoot securityprovider issues.

q. Leave the Allow Complex Identities option cleared as it does not apply to this type of security provider.

6. Click Apply Changes.

What'sNext?

l (For SharePoint sources only) Configure and index a Microsoft SharePoint source.

l (For OneDrive for Business sources only) Configure and index a Microsoft OneDrive for Business source.

4www.coveo.com 110




13. Creating and Using a Custom SharePoint Mapping FileA mapping file associates SharePoint metadata with Coveo index fields. SharePoint is essentially made of lists andlist items. Each list has a Base List Type, to represent what it contains and how to interact with it.

Example: A Document Library list contains only documents. You can also add a Custom List which willcontain generic list items. A user can have two Document Library lists, but decide to add more columns(metadata) to the second list.

CES 7.0.6607+ (April 2014) The Microsoft SharePoint connector comes with a default mapping file ([CES_Path]\bin\Coveo.CES.CustomCrawlers.SharePoint.MappingFile.xml) that contains mappings for allstandard list types. Using the default mapping file allows to index standard SharePoint content.

While the content of custom metadata such as custom columns in a list are mapped to default fields, in a casewhere you identify custom metadata that are not properly mapped, you can consider creating and using a custommapping file to ensure that custom metadata content is mapped to specific fields.

Note: In a custom SharePoint mapping file, you must refer to the custom SharePoint fields using the name thatbegins with the out-of-the-box ows_ (Office Web Server) namespace prefix (see What does “ows” means and whypeople use it before name of a field).

You may identify a SharePoint metadata name from the SharePoint URL (see "Determining the Name of aSharePoint Metadata Tag" on page 119).

The SharePoint connector can put multiple mapping types in the MappingType property for every item, separatedby semicolons, before being sent to the index.

These mapping types are arranged in order of more to less specific:

l Item type + ID (a GUID)

l Item type + Title

l Item type + Base type

Example: An item of a Contact list can have the following MappingType:

ListItem.{432-1123243434-343331};ListItem.My Contact List;ListItem.Contacts

Items other than List and List Items have their ID and name:

Web.{58943-43849273-483922};Web.MyWeb

For all documents, the DocumentType property is set to the base item type (for example: ListItem).

Consequently, as shown in the following example, a mapping file can specifically map a set of lists or a single list toa particular set of fields.

Important: Semicolons (;) are used to separate items in the mapping file. When you want to map an item that hasa ; character in its title, remove the character in the MappingType property (<Mapping type="[Item

title]">).

4www.coveo.com 111


http://sharepoint.stackexchange.com/questions/50915/

http://sharepoint.stackexchange.com/questions/50915/


<?xml version="1.0" encoding="utf-8"?><Mappings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"><Version>1</Version><CommonMapping><Fields />

</CommonMapping>...<Mapping type="ListItem.Announcements"><Title>%[coveo_SiteName] - %[Title]</Title><Body>%[Description]</Body><Fields />

</Mapping>

<Mapping type="ListItem.GenericList.My custom list"><Title>%[coveo_SiteName] - %[Title]</Title><Body>%[Description]</Body><Fields><Field name="myfield1">%[ows_customTextColumn1]</Field><Field name="myfield2">%[ows_customTextColumn2]</Field><Field name="myfield3">%[ows_customTextColumn3]</Field>

</Fields></Mapping>

<Mapping type="ListItem.{432-1123243434-343331}"><Title>%[coveo_SiteName] - %[Title]</Title><Body>%[Description]</Body><Fields><Field name="myfield4">%[ows_customTextColumn4]</Field><Field name="myfield5">%[ows_customTextColumn5]</Field><Field name="myfield6">%[ows_customTextColumn6]</Field>

</Fields></Mapping>

<Mapping type="Web.MyWebApp"><Fields><Field name="syssearchablemeta">%[Description]</Field><Field name="mywebstuff">%[some_metadata]</Field>

</Fields></Mapping>

</Mappings>

To create a customSharePoint mapping file

1. Using an administrator account, connect to the Coveo Master server.

2. Copy the default mapping file ([CES_Path]\bin\Coveo.CES.CustomCrawlers.SharePoint.MappingFile.xml) and rename the copy in afolder under [Index_Path]\Config\ to ensure the file is part of your index configuration.

Example:When your index is on the D: drive and you are indexing your SharePoint 2013 intranet, renamethe copy of the default mapping file to:

D:\CES70\Config\Connectors\SharePoint2013IntranetMapping.xml

3. Using a text editor, modify existing mappings or add new ones to specifically map your custom metadata.

Note: The SharePoint mapping file must respect the standard mapping file schema (see "Standard MappingFile Schema" on page 113).

4www.coveo.com 112



What'sNext?

l In the source, ensure to select the custom mapping file you created (see Configuring and Indexing a MicrosoftSharePoint Source).

l If you added custom fields, ensure to add them to the field set used by the source (see Microsoft SharePointConnector Deployment Overview).

13.1 Standard Mapping File SchemaA Coveo connector may need a mapping file to correctly copy the repository metadata values to appropriate indexfields. This topic describes the format of the standard mapping file by providing its XML schema definition. Refer tothis schema to review the possible content of the file and ensure that your mapping file is valid.

4www.coveo.com 113



Notes:

l CES 7.0.7914+ (October 2015) Using a mapping file, in a field or body element, you can retrieve the contentof an external file by setting the isUrl attribute to true in the start tag and entering the external file URL asthe value.

Example: <Field name="contact" isUrl="true">%[UrlMetadata]</field>

The normal mapping resolution is performed and when the download attempt of the resolved value issuccessful, the downloaded content is converted to a string and put in the body or field element. One usecase is when you have a database with a column containing a URI that points to a document that you want touse as a body.

When using this feature, have in mind that:

o isUrl is case-sensitive.

o Direct mapping (ex: <Field name="[value]" isUrl="true">[value]</Field>) and mappingresolution (ex: <Body isUrl="true">%[File_Path_or_URL]</Body>) are both supported schemes.

o Old mappings are compatible, meaning that when isUrl is not specified, the attribute is considered setto false (no download is performed).

o The specified external file can be a .PDF, .DOCS, .ETC, .TXT, . RTF or .HTML file and its URL can startwith http://, https:// or file://.

o The content of the external file must be public since no authentication is supported when performing thedownload attempt.

o When an invalid URL is specified, an error message stating that a mapping fails is logged, but thedocument is still indexed.

l By default, when the name of a field in the field set selected for the source matches the name of a metadatafrom the indexed repository, the metadata value is automatically copied to the field, even when they are notformally associated in a mapping file.

l The standard mapping file schema is supported by all connectors written in C# (all connectors except WebLegacy). However, it is recommenced for the connectors that use their own mappings (such as Oracle UCM)to NOT mix these specific mappings with standard ones.

l Some connectors come with a default mapping file that is available in the [CES_Path]\bin folder, Themapping file name is in the form:

Coveo.CES.CustomCrawlers.[ConnectorName].MappingFile.xml

When a default mapping file is available, it is recommended to start with its content by using and customizinga copy of the file.

This mapping file format is used by more recently developed or updated connectors. This standard mapping fileonly contains metadata to field mappings, not other connector configuration parameters. When needed, aconnector rather uses a separate configuration file for non-mapping parameters.

The format of the mapping file version 1 is specified in the following XML schema definition (XSD).

4www.coveo.com 114


http://download.coveo.com/ValidationSchemaVersion1.xsd


<?xml version="1.0" encoding="utf-8" ?><xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">

<xs:element name="Mappings"><xs:complexType><xs:sequence>

<xs:element name="Version" minOccurs="1" maxOccurs ="1" /><xs:element name="CommonMapping" type="GenericMapping" minOccurs="0" maxOccurs ="1"/><xs:element name="Mapping" type="SpecificMapping" minOccurs="0" maxOccurs ="unbounded"/><xs:element name="DefaultMapping" type="GenericMapping" minOccurs ="0" maxOccurs="1"/>

</xs:sequence></xs:complexType><xs:unique name="mappings"><xs:selector xpath="Mapping"/><xs:field xpath="@type"/>

</xs:unique></xs:element>

<xs:complexType name="GenericMapping"><xs:group ref="MappingElement" />

</xs:complexType>

<xs:complexType name ="SpecificMapping"><xs:group ref="MappingElement" /><xs:attribute name="type" use=" required" />

</xs:complexType>

<xs:group name="MappingElement"><xs:all><xs:element name ="Title" minOccurs="0" maxOccurs = "1"/><xs:element name="Body" minOccurs="0" maxOccurs = "1"/><xs:element name="ClickableUri" minOccurs="0" maxOccurs = "1"/><xs:element name="PrintableUri" minOccurs="0" maxOccurs = "1"/><xs:element ref="Fields" minOccurs="0" maxOccurs = "1"/>

</xs:all></xs:group>

<xs:element name="Fields"><xs:complexType><xs:sequence><xs:element ref="Field" minOccurs="0" maxOccurs = "unbounded"/>

</xs:sequence></xs:complexType><xs:unique name="field"><xs:selector xpath="Field"/><xs:field xpath="@name"/>

</xs:unique></xs:element>

<xs:element name="Field"><xs:complexType><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="name" use="required"/>

</xs:extension></xs:simpleContent>

</xs:complexType></xs:element>

</xs:schema>

4www.coveo.com 115



Example: The JIVE connector uses the standard mapping file schema:

<?xml version="1.0" encoding="utf-8" ?><Mappings><Version>1</Version><CommonMapping><Fields><Field name="sysauthor">%[author.displayName]</Field><Field name="syscstag">%[tags]</Field><Field name="syscstaggroup">%[categories]</Field><Field name="syscsplace">%[coveo.places.titles]</Field><Field name="syscsplacetype">%[coveo.places.types]</Field>

</Fields></CommonMapping><Mapping type="announcement"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csannouncement</Field><Field name="syscsitemtype">Announcement</Field>

</Fields></Mapping><Mapping type="attachment"><Title>%[name]</Title><Fields><Field name="sysfilename">%[name]</Field>

</Fields></Mapping><Mapping type="checkpoint"><Title>%[name]</Title><Body>%[description]</Body><Fields><Field name="sysdtdue">dueDate</Field><Field name="sysfiletype">cscheckpoint</Field><Field name="syscsitemtype">Checkpoint</Field>

</Fields></Mapping><Mapping type="comment"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">cscomment</Field><Field name="syscsitemtype">Comment</Field>

</Fields></Mapping><Mapping type="discussion"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csdiscussion</Field><Field name="syscsitemtype">Discussion</Field>

</Fields></Mapping><Mapping type="dm"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csdm</Field><Field name="syscsitemtype">dm</Field>

</Fields></Mapping><Mapping type="document">

4www.coveo.com 116



<Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfilename">%[subject]</Field><Field name="sysfiletype">csdocument</Field><Field name="syscsitemtype">Document</Field>

</Fields></Mapping><Mapping type="file"><Title>%[subject]</Title><Fields><Field name="sysfilename">%[subject]</Field>

</Fields></Mapping><Mapping type="group"><Title>%[name]</Title><Body>%[description]</Body><Fields><Field name="sysauthor">%[creator.displayName]</Field><Field name="sysfiletype">cssocialgroup</Field><Field name="syscsitemtype">Social Group</Field>

</Fields></Mapping><Mapping type="idea"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csidea</Field><Field name="syscsitemtype">Idea</Field>

</Fields></Mapping><Mapping type="message"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csmessage</Field><Field name="syscsitemtype">Message</Field>

</Fields></Mapping><Mapping type="person"><Title>%[displayName]</Title><Body> %[displayName] %[emails(work).value] %[jive.profile(Title).value]</Body><Fields><Field name="UserProfile_FirstName">%[name.givenName]</Field><Field name="UserProfile_LastName">%[name.familyName]</Field><Field name="UserProfile_AccountName">%[jive.username]</Field><Field name="UserProfile_Title">%[jive.profile(Title).value]</Field><Field name="UserProfile_AboutMe">%[jive.profile(Biography).value]</Field><Field name="UserProfile_PictureURL">%[thumbnailUrl]</Field><Field name="UserProfile_WorkEmail">%[emails(work).value]</Field><Field name="UserProfile_WorkPhone">%[phoneNumbers(work).value]</Field><Field name="mobile">%[phoneNumbers(mobile).value]</Field><Field name="syslocation">%[location]</Field><Field name="sysfiletype">csuser</Field><Field name="syscsitemtype">User</Field>

</Fields></Mapping><Mapping type="poll"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">cspoll</Field>

4www.coveo.com 117



<Field name="syscsitemtype">Poll</Field></Fields>

</Mapping><Mapping type="post"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csblogpost</Field><Field name="syscsitemtype">Blog Post</Field>

</Fields></Mapping><Mapping type="project"><Title>%[name]</Title><Body>%[description]</Body><Fields><Field name="sysdtdue">dueDate</Field><Field name="sysauthor">%[creator.displayName]</Field><Field name="sysfiletype">csproject</Field><Field name="syscsitemtype">Project</Field>

</Fields></Mapping><Mapping type="space"><Title>%[name]</Title><Body>%[description]</Body><Fields><Field name="sysfiletype">cscommunity</Field><Field name="syscsitemtype">Community</Field>

</Fields></Mapping><Mapping type="systemblog"><Title>%[name]</Title><Body>%[description]</Body><Fields><Field name="sysfiletype">cssystemblog</Field><Field name="syscsitemtype">System Blog</Field>

</Fields></Mapping><Mapping type="task"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysdtdue">dueDate</Field><Field name="sysfiletype">cstask</Field><Field name="syscsitemtype">Task</Field><Field name="syscstaskassignedto">%[owner.extra.displayName]</Field>

</Fields></Mapping><Mapping type="update"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csupdate</Field><Field name="syscsitemtype">Update</Field>

</Fields></Mapping><Mapping type="video"><Title>%[subject]</Title><Body><![CDATA[ <html> %[content.text] </html> ]]></Body><Fields><Field name="sysfiletype">csvideo</Field><Field name="syscsitemtype">Video</Field>

4www.coveo.com 118



</Fields></Mapping>

</Mappings>

13.2 Determining the Name of a SharePoint Metadata TagIn SharePoint, structured information like list items and area listings is identified by metadata tags which describe itsnature and function. CES uses these tags to sort the information.

Note: If the tags entered do not correspond to the metadata names of the appropriate SharePoint fields,erroneous or blank results are returned by queries (ex.: the content and summary can be blank and the authorname missing).

To determine themetadata name of a column

1. In SharePoint, access the page where the list is displayed.

2. Click the column name for which you want to determine the metadata name.

3. In the Address box of the browser, locate the expression SortField=. The name of the column is the expressionentered after =, in the SortField=Name form.

Example: In the following capture, the metadata name for the Name column is LinkFilename.

4www.coveo.com 119



14. Configuring and Indexing aMicrosoft SharePoint SourceA source defines a set of configuration parameters to extract and index Microsoft SharePoint content. This topicdescribes how to create a source using the second generation SharePoint connector.

Notes:

l In an environment with more than one Microsoft SharePoint Web Application, it is recommended to defineone source for each Microsoft SharePoint Web Application that you want to index, and only index userprofiles once to not create duplicates in your index (see Modifying Hidden Microsoft SharePoint SourceParameters).

l CES 7.0.6830+ (July 2014) The SharePoint source type is for the second generation SharePoint connector.When you are still using the original SharePoint connector to create your SharePoint source, ensure to ratheruse the SharePoint Legacy source type.

To configure and index aMicrosoft SharePoint source


2. Select Index > Sources and Collections.

3. In the Collections section:

a. Select an existing collection in which you want to add the new source.

OR

b. Click Add to create a new collection.

4. In the Sources section, click Add.

The Add Source page that appears is organized in three sections.

5. In the General Settings section of the Add Source page:

4www.coveo.com 120



a. Enter the appropriate value for the following required parameters:

Name

Enter a descriptive name of your choice for this source.

Example:When you have more than one SharePoint site to index, you can include in the nameinformation to help distinguish between them.

SharePoint 2016 Intranet

SharePoint 2013 Extranet

Source Type

The connector used by this source. In this case, select SharePoint.

Note: CES 7.0.6767– (June 2014) The SharePoint type corresponds to what is now the LegacySharePoint source type.

Addresses

List of specific SharePoint farm sections that you want to index. If you need to index more than onesection, enter one URL per line.

Note: CES 7.0.6942 (August 2014) Starting addresses must end with /.

4www.coveo.com 121



Examples:

l For the whole farm:

https://farm/

l For a specific Web Application:

https://farm:8080/

l For a specific site collection:

https://farm:8080/sites/Support/default.aspx

l For a specific website:

https://farm:8080/sites/Support/subsite/default.aspx

l For a specific document library:

https://farm:8080/Document Library/

l For a specific list:

https://farm:8080/sites/Support/Lists/Contacts/AllItems.aspx

Important: A specific folder in a list is not supported.

l For SharePoint Online:

https://domain.sharepoint.com

Note: You can also use the source Crawl Scope parameter to control more precisely the content tocrawl (see below).

Fields

Select the field set that you created for this source (see Microsoft SharePoint Connector DeploymentOverview).

Refresh Schedule

Time interval at which the source is automatically refreshed to keep the index content up-to-date.

Note: The default Every Day option is typically good, but when your SharePoint content changesfrequently within a day, after creating your source, you should schedule incremental refresh atsignificantly shorter time interval to continuously index ongoing SharePoint content changes. You canthen consider to refresh the source weekly by selecting the Every Sunday option.

b. Review the value for the following parameters that often do not need to be modified:

Rating

Change this value only when you want to globally change the rating associated with all items in thissource relative to the rating to other sources.

4www.coveo.com 122



Example: If this source was for a legacy Intranet, you may want to set this parameter to Low, so that inthe search interface, results from this source appear later in the list compared to those from othersources.

Document Types

If you defined custom document type sets, ensure to select the most appropriate for this source.

Active Languages

If you defined custom active language sets, ensure to select the most appropriate for this source.

6. In the Specific Connector Parameters & Options section of the Add Source page, review if you need tochange the parameter default values:

a. In the Number of Refresh Threads box, when your Coveo server has available CPU cores, considerincreasing the number to easily and significantly increase the crawling performance. The default value is2.

b. In the Mapping File box, leave the default value to use the default mapping file(Coveo.CES.CustomCrawlers.SharePoint.MappingFile.xml).

When you identify that some custom SharePoint content is not indexed or not properly mapped, considercreating a custom mapping file, and then enter the full path to the file (see "Creating and Using a CustomSharePoint Mapping File" on page 111).

c. CES 7.0.6830+ (July 2014) In the Crawling Scope drop-down box, select the option for the content typethat you want to crawl in relation with the source Addresses that you specified (see above).

SelectWebApplication, the default value and highest element type in the SharePoint farm (tenant inSharePoint Online) hierarchy to crawl everything.

4www.coveo.com 123



Value Content to crawl

WebApplication All site collections of the specified web application

SiteCollection All web sites of the specified site collection

WebAndSubWebs Only the specified web site and its sub webs

List Only the specified list or document library

d. In the Authentication Type drop-down list, refer to the following table to select the authentication typevalue corresponding to your SharePoint environment and the type of User Identity that you assigned tothis source (see Microsoft SharePoint Connector Deployment Overview).

SharePoint environment User identity type Option to select

Classic Windows account(SharePoint 2010 default)

WindowsClassic

Claims Windows account(SharePoint 2013 and 2016 default)

WindowsUnderClaims

ADFS federated account AdfsUnderClaims

CES 7.0.9272+ (March 2018)Okta

Okta

Online Native Office 365 account SpOnlineNative

Single Sign-On Office 365 account SpOnlineFederated

e. In the Parameters section, click Add Parameter when you want to show and configure advanced hiddensource parameters (see "Modifying Hidden Microsoft SharePoint Source Parameters" on page 127).

4www.coveo.com 124



Examples:

l In the case of an ADFS environment, when the Authentication Type parameter value is eitherAdfsUnderClaims or SpOnlineFederated, you must add ADFS related hidden parameters (see"ADFS Related Parameters" on page 127).


l CES 7.0.8541+ (September 2016) When you create a SharePoint search service application to listyour user profiles, you must add the following hidden parameters (see LoadUserProfiles andUsePeopleSearchForUserProfiles).

l CES 7.0.9272+ (March 2018) When your SharePoint instance uses Okta as a single sign-onprovider, you must add the OktaRealmand OktaSignInUrl parameters, and the correspondingvalues that you previously retrieved (see Okta Identity Provider for SharePoint Connector).

f. In the Option section:

Index Subfolders

Keep this check box selected (recommended). By doing so, all subfolders from the specified serveraddress are indexed.

Index the document's metadata

When selected, CES indexes all the document metadata, even metadata that are not associated with afield. The orphan metadata are added to the body of the document so that they can be searched usingfree text queries.

4www.coveo.com 125



When cleared (default), only the values of system and custom fields that have the Free Text Queriesattribute selected will be searchable without using a field query.

Example: A document has two metadata:

l LastEditedBy containing the value Hector Smith

l Department containing the value RH

In CES, the custom field CorpDepartment is bound to the metadata Department and its Free TextQueries attribute is selected.

When the Index the document's metadata option is cleared, searching for RH returns the documentbecause a field is indexing this value. Searching for hector does not return the document becauseno field is indexing this value.

When the Index the document's metadata option is selected, searching for hector also returns thedocument because CES indexed orphan metadata.

Document's addresses are case-sensitive

Leave the check box cleared. This parameter needs to be checked only in rare cases for case sensitivesystems in which distinct documents may have the same file name but with different casing.

Generate a cached HTML version of indexed documents

When you select this check box (recommended), at indexing time, CES creates HTML versions ofindexed documents. In the search interfaces, users can then more rapidly review the content byclicking the Quick View link rather than opening the original document with the original application.Consider clearing this check box only if you do not want to use Quick View links.

Open results with cached version

Leave this check box cleared (recommended) so that in the search interfaces, the main search resultlink opens the original document with the original application. Consider selecting this check box onlywhen you do not want users to be able to open the original document but only see the HTML version ofthe document as a Quick View. In this case, you must also selectGenerate a cached HTML version ofindexed documents.

7. In the Security section of the Add Source page:

4www.coveo.com 126



a. In the Authentication drop-down list, select the user identity that you created for the Microsoft SharePointfarm (tenant in SharePoint Online) (see Microsoft SharePoint Connector Deployment Overview).

b. In the Security Provider drop-down list, select the SharePoint security provider that you created for thisSharePoint source.

c. Click Save to save the source configuration and consider revising advanced source parameters beforestarting indexing the new source (see "Modifying Hidden Microsoft SharePoint Source Parameters" onpage 127).

OR

d. Click Save and Start to save and start indexing immediately.

Note:When your SharePoint Web Application uses Claims, the first time the SharePoint search interface isaccessed, the first time setup page appears to let you enter your Claims information and allow access to thesearch interface (see Coveo .NET Front-End First Time Setup).

What'sNext?

Set an incremental refresh schedule for your source.

14.1 Modifying Hidden Microsoft SharePoint Source ParametersThe Add Source and Source: ... General pages of the Administration Tool present the parameters with which youcan configure the connector for most Microsoft SharePoint setups. More advanced and more rarely usedparameters are hidden. You can choose to make one or more of these parameters appear in the Add Source andSource: ... General pages of the Administration Tool so that you can change their default value.

The following list describes the available advanced hidden parameters for Microsoft SharePoint sources. Theparameter type (integer, string…) appears between parentheses following the parameter name.

14.1.1 ADFS Related Parameters

The following ADFS related parameters are only required when the source Authentication Type parameter iseither AdfsUnderClaims or SpOnlineFederated:

AdfsServerUrl (String)

URL of the AD FS server for which a trust is established with SharePoint.

4www.coveo.com 127



Note: CES 7.0.6684+ (May 2014) The SharePoint connector supports indexing SharePoint Online configuredwith Okta (see "SharePoint Online (Okta SSO) [Claims] Source Quick Setup" on page 21).

In this case, you must add the AdfsServerUrl hidden parameter to the source and set the value to the fullpath to your SharePoint Online ActiveClientSignInUrl that should be in the form:


You can find your SharePoint Online ActiveClientSignInUrl in Okta, in the sign on instructions of theMicrosoft Office 365 application:

1. With an administrator account, log in to Okta.

2. In the top menu, click Admin.

3. In the administration panel, select Applications > Applications.

4. In the Applications page, click Microsoft Office 365.

5. In the Microsoft Office 365 page, select the Sign On tab.

6. In the Sign On tab, under Sign On Methods section, click View Setup Instructions.

7. The ActiveClientSignInUrl is the value next to ActiveLogOnUri.

Ensure that you also set this ActiveClientSignInUrl for the Claims Security provider and the SharePointsource (see Creating a Claims Security Provider for SharePoint Online and Creating a SharePoint SecurityProvider).

SharePointTrustIdentifier (String)

The Relying Party Trust identifier for the SharePoint ADFS server (see "Finding the Relying Party Trust Identifierfor a SharePoint ADFS server" on page 94).

The following parameters are required only when multiple ADFS servers are used to authenticate users inSharePoint:

IdentityProviderServerUrl (String)

The URL of the ADFS server which is used as an Identity Provider for the ADFS server trusted by SharePoint.

AdfsServerTrustIdentifier (String)

Trust Identifier for the SharePoint AD FS Server. Enter the Relying Party Trust identifier for the SharePoint webapplication (see "Finding the Relying Party Trust Identifier for a SharePoint Web Application" on page 93).

14.1.2Other Parameters

UsePeopleSearchForUserProfiles (Boolean) CES 7.0.8541+ (September 2016)

Note: User profiles are not available in Microsoft SharePoint Foundation.

Whether to extract the SharePoint user profiles using the SharePoint search service application (see "ListingUser Profiles With a SharePoint Search Service Application" on page 40). The default value is false.

4www.coveo.com 128




When you have created a search service application, set this parameter to true only on the SharePoint sourceof your smallest web application in size.

You must also set the LoadUserProfiles hidden parameter to true (see LoadUserProfiles). Otherwise, theparameter is ineffective.

AllowBasicAuthentication (Boolean)

Select the AllowBasicAuthentication option only when basic authentication is enabled on the web applicationto index and specifically want to use this authentication mode. The default value is false.

It is recommended to use this authentication method only with a secured connection (HTTPS) because the username and password are passed in clear text in the URL.

AuthenticationRealmUrl (String)

Add this hidden parameter only when your SharePoint environment includes an online authentication serviceon a separate server, in which case you enter the authentication server URL in the formhttps://domain.sharepoint.com.

EnableOfficeIntegration (Boolean) CES 7.0.7022+ (September 2014)

Whether to enable the office integration in the .NET UI or not. This will change the clickable URI to opendocuments directly in Office. The default value is true.

LoadAllOnlineSiteCollections (Boolean) CES 7.0.6830+ (July 2014)

Whether to extract the SharePoint Online site collections. The default value is false.

LoadUserProfiles (Boolean)

Whether to extract the SharePoint user profiles. The default value is true.

Set this parameter to false when you do not want to index the SharePoint users.

4www.coveo.com 129



Notes:

l CES 7.0.8541+ (September 2016) Indexing user profiles takes a significantly smaller amount of timeusing the parameter in combination with the UsePeopleSearchForUserProfiles parameter (seeUsePeopleSearchForUserProfiles).

l CES 7.0.8388– (June 2016) Indexing user profiles can take a significant time depending on their number.Moreover, indexing user profiles more than once, creates as many duplicates in your index. It is thusrecommended to only index your user profiles once for all your SharePoint sources:

o When you configure your first SharePoint source, you do not need to add this parameter. For all yourother SharePoint sources, add the LoadUserProfiles parameter and set the value to false.

o When you already have other configured SharePoint source(s), look for your smallest WebApplication in size, and add the LoadUserProfiles parameter and set the value to false in all yourother SharePoint sources.

l Since SharePoint 2010, 2013 and 2016 do not support ADFS users on Windows with user profile, it iscurrently impossible when indexing those SharePoint versions to set the LoadUserProfiles parameterto true when the Crawl Scope isWebApplication and the Authentication Type is AdfsUnderClaims (see"Configuring and Indexing a Microsoft SharePoint Source" on page 120).

l User profiles and personal websites are not available in Microsoft SharePoint Foundation.

LoadSocialTags (Boolean) CES 7.0.7022+ (September 2014)

Whether to retrieve the social tags for each document or not. When set to true, documents corresponding toitems with social tags have the fields syssptagnames and syssptagguids set with the social tag content.

The parameter works for SharePoint On-Premises, but not for SharePoint Online. An incremental refresh shouldpick social tag changes. However, the SharePoint API does not report social tags accurately for all item typesand the SharePoint web service cache can delay or cause multiple pick ups of a tag change by an incrementalrefresh.

The default value is false. Setting this parameter to true can have a significant impact on crawlingperformance because one call is required to retrieve each item.

OverrideSharePointAuthor(Boolean) CES 7.0.7711+ (June 2015)

Whether to override the author saved in SharePoint for a document by the author extracted from the metadata ofthe document.

RequestTimeout (Integer) CES 7.0.7711+ (June 2015)

The maximum amount of time (in seconds) an HTTP request can be executed before being canceled. Thedefault value is 60.

WebPartsOptions (String) CES 7.0.7022+ (September 2014)

Note: Not all Web parts are available in Microsoft SharePoint Foundation 2010 (see Overview of Web Partsavailable in SharePoint Foundation 2010).

4www.coveo.com 130





Determines what to do with Web Part Pages. The content of the web parts is added to the fieldsyssearchablemeta, which is not displayed in search results, but is searchable. Use this parameter to controlwhat is indexed and include or not potentially secured dynamic content to prevent a security hole.

The following table lists the possible WebPartsOptions parameter values.

Value Description

SelectiveWebParts The default value. Only indexes the content of Web Parts listed in theIncludedWebPartTypes parameter.By default, only fixed content is indexed, not dynamic content for which permissionscannot be indexed and could potentially allow users to find content to which they donot normally have access.

AllContent Indexes the whole Web Part Page, including menus and dynamic web parts that cancontain secured content that will be searchable.

WebPartsContent Indexes only the content of all the Web Parts of the Web Part Page, includingdynamic web parts that can contain secured content that will be searchable.

NoContent Do not download and index the Web Part Page at all (indexed by reference).

Your mapping file should contain the following tags to ensure that the syssearchablemeta field gets set:

<Mapping type="File"><Fields><Field name="syssearchablemeta">%[coveo_AllMetaData]</Field>

</Fields></Mapping>

IncludedWebPartTypes (String) CES 7.0.7022+ (September 2014)

A semi-colon list of web part types to crawl for Web Part Pages when the WebPartsOptions parameter is set toSelectiveWebParts. By default only content editors are crawled(Microsoft.SharePoint.WebPartPages.ContentEditorWebPart;).

IndexListFolders (Boolean) CES 7.0.7104+ (October 2014)

Whether to index List Folders or not. The default value is false, because Web folders are not accessible via thebrowser, only from Windows Explorer. Set to true when you want to see the List Folders in search results.

ServerNameAlias (String) CES 7.0.7711+ (June 2015)

Specifies a server name that overrides the one from which documents are downloaded in the index. Thisparameter is useful to have query results point to a server other than the one used for indexing.

Example: Three network load balanced (NLB) SharePoint front-end servers handle the end-users requestsand your source crawls a fourth mirror server to not impact performance for users. In this case, you add theServerNameAlias parameter and set the value to the NLB URL to replace the IP address in the index.

4www.coveo.com 131



LoadPersonalSites (Boolean) CES 7.0.8047+ (December 2015)

Note: Personal websites are not available in Microsoft SharePoint Foundation.

When the Crawling Scope source parameter is set to WebApplication, whether to include personal sites. Thedefault value is true.

OktaRealm (String) CES 7.0.9272+ (March 2018)

If your SharePoint instance uses an Okta single sing-on setup, provide the $realm value obtained from Okta(see Retrieve your application parameters).

OktaSingInUrl (String) CES 7.0.9272+ (March 2018)

If your SharePoint instance uses an Okta single sing-on setup, provide the $signInURL value obtained fromOkta (see Retrieve your application parameters).

Tomodify hiddenMicrosoft SharePoint source parameters

1. Refer to "Adding an Explicit Connector Parameter" on page 133 to add one or more Microsoft SharePointhidden source parameters.

2. For a new Microsoft SharePoint source, access the Add Source page of the Administration Tool to modify thevalue of the newly added advanced parameter:

a. Select Index > Sources and Collections.

b. Under Collections, select the collection in which you want to add the source.

c. Under Sources, click Add.

d. In the Add Source page, edit the newly added advanced parameter value.

3. For an existing Microsoft SharePoint source, access the Source: ... General page of the Administration Tool tomodify the value of the newly added advanced parameter:

a. Select Index > Sources and Collections.

b. Under Collections, select the collection containing the source you want to modify.

c. Under Sources, click the existing Microsoft SharePoint source in which you want to modify the newlyadded advanced parameter.

d. In the Source: ... General page, edit the newly added advanced parameter value.

14.2 Finding the Assembly Type of a SharePoint Web PartYou may need to find the assembly type of Web Parts that you want to index when you select the Index the contentof the WebParts of these types only option for a SharePoint source).

Tip:When useful, you can also get SharePoint Web Part assembly name and type programmatically (see Get webpart assembly name and type name from SharePoint web part gallery).

4www.coveo.com 132


http://sandippatilblog.blogspot.ca/2014/11/get-web-part-assembly-name-and-type-from-SharePoint-web-part-gallery.html

http://sandippatilblog.blogspot.ca/2014/11/get-web-part-assembly-name-and-type-from-SharePoint-web-part-gallery.html


To find the assembly type of a SharePointWebPart

1. Using a SharePoint administrator account, select the site collection containing the Web Part that you want toindex.

2. In the Site Actions menu, select Site Settings.

3. In the Site Settings page, under Galleries, clickWeb Parts.

4. In the list of Web Parts that appears, click the Edit icon for the Web Part that you want to index.

The Web Part file can either have a .dwp or a .webpart extension

Example: Click the Edit icon for the MSContent Editor.dwp file corresponding to the default Web Partassembly type.

5. Click View XML.

6. In the XML, copy the text between the <TypeName> and </TypeName> tags.

Example: In the following XML code, you would copyMicrosoft.SharePoint.WebPartPages.ContentEditorWebPart.

<?xml version="1.0" encoding="utf-8" ?><WebPart xmlns="http://schemas.microsoft.com/WebPart/v2"><Assembly>Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral,

PublicKeyToken=71e9bce111e9429c</Assembly><TypeName>Microsoft.SharePoint.WebPartPages.ContentEditorWebPart</TypeName><Title>Content Editor Web Part</Title><Description>Use for formatted text, tables, and images.</Description><PartImageLarge>/_layouts/images/mscontl.gif</PartImageLarge>

</WebPart>

14.3 Adding an Explicit Connector ParameterConnector parameters applying to all sources indexed using this connector are called explicit parameters.

When you create or configure a source, the Coveo Enterprise Search (CES) 7.0 Administration Tool presentsparameters with which you can configure the connector for most setups. For many connectors, more advanced andmore rarely used parameters also exist but are hidden by default. CES then uses the default value associated witheach of these hidden parameters.

You can however choose to make one or more of these parameters appear in the Add Source and Source: ...General pages of the Administration Tool so that you can change their default value.

To add an explicit connector parameter


2. Select Configuration > Connectors.

3. In the list on the Connectors page, select the connector for which you want to show advanced hiddenparameters.

4. In the Parameters section of the selected connector page, click Add Parameter for each hidden parameter

4www.coveo.com 133



that you want to modify.

Note: The Add Parameter button is present only when hidden parameters are available for the selectedconnector.

5. In the Modify the parameters of the connector page:

a. In the Type list, select the parameter type as specified in the parameter description.

b. In the Name box, type the parameter name exactly as it appears in the parameter description. Parameternames are case sensitive.

c. In the Default Value box, enter the default value specified in the parameter description.

Important: Do not set the value that you want to use for a specific source. The value that you enter herewill be used for all sources defined using this connector so it must be set to the recommended defaultvalue. You will be able to change the value for each source later, in the Add Source and Source: ...General pages of the Administration Tool.

d. In the Label box, enter the label that you want to see for this parameter.

Example: To easily link the label to the hidden parameter, you can simply use the parameter name, andif applicable, insert spaces between concatenated words. For the BatchSize hidden parameter, enterBatch Size for the label.

4www.coveo.com 134



Note: To create multilingual labels and quick help messages, use the following syntax:<@ln>text</@>, where ln is replaced by the language initials—the languages of the AdministrationTool are English (en) and French (fr).

Example: <@fr>Chemin d'accès du fichier de configuration</@><@en>Configuration

File Path</@> is a label which is displayed differently in the French and English versions of theAdministration Tool.

Tip: The language of the Administration Tool can be modified by pressing the following key combination:Ctrl+Alt+Page Up.

e. Optionally, in Quick Help, enter the help text that you want to see for this parameter when clicking thequestion mark button that will appear beside the parameter value.

Tip: Copy and paste key elements of the parameter description.

f. When Predefined values is selected in the Type parameter, in the Value box that appears, enter theparameter values that you want to see available in the drop-down parameter that will appear in theAdministration Tool interface. Enter one value per line. The entered values must exactly match the valueslisted in the hidden parameter description.

g. Select the Optional parameter check box when you want to identify this parameter as an optionalparameter. When cleared, CES does not allow you to save changes when the parameter is empty. Thisparameter does not appear for Boolean and Predefined values parameter types.

h. Select the Sensitive information check box for password or other sensitive parameter so that, in theAdministration Tool pages where the parameter appears, the typed characters appear as dots to maskthem. This parameter appears only for the String type.

Example:When you select the Sensitive information check box for a parameter, the characters typedappear as follows in the text box:

i. Select the Validate as an email address check box when you want CES to validate that the text string thata user enters in this parameter respects the format of a valid email address. This parameter appears onlyfor the String type.

j. In the Maximum length box, enter the maximum number of characters for the string. This parameterappears only for the String type. When you enter 0, the length of the string is not limited.

k. Click Save.

6. Back in the Connector page, click Apply Changes.

The hidden parameter now appears in the Add Source and Source: ... General pages of the AdministrationTool for the selected source. You can change the parameter value from these pages. Refer to thedocumentation for each connector for details.

4www.coveo.com 135



Note:When you want to modify a hidden source parameter, you must first delete it, and then redefine it with themodified values.

4www.coveo.com 136



15. Configuring a .NET Search Interface Claims SSOCoveo .NET Front-End 12.0.1548+ (June 2016)

A Coveo .NET Front-End search page that resides outside SharePoint must authenticate the SharePoint end-userperforming the query to return SharePoint search results for which the end-user has read access in SharePoint. NoSharePoint results are returned for unauthenticated users.

The SharePoint integration of the Coveo .NET Front-End now includes the Coveo Front-End SSO Configurationpage allowing you to easily configure a Claims single sign-on (SSO) between one or more SharePoint WFEs andone or more Coveo .NET Front-End search pages hosted outside SharePoint.

The Coveo Front-End SSO Configuration page basically generates a Claims configuration string for a givenSharePoint WFE that you can simply copy and paste when configuring other SharePoint WFEs as well as yourexternally hosted Coveo .NET Front-End search pages.

Two methods are supported to retrieve claims from SharePoint:

l Via browser redirections

Note: Limited to one SharePoint server.

l Via web requests Coveo .NET Front-End 12.0.1633+ (September 2016)

Note: The web request has mainly three advantages over the method with browser redirections:

o No more blinking during the browser authentication redirection loop.

o Works well even if the search page is opened with the "localhost" hostname;

o Since the claims are stored in the ASP.NET session (on the web server) instead of in browser cookies(sent in every browser web requests), less network bandwidth is used, which improves the globalperformance.

To configure a .NET Search InterfaceClaimsSSO

1. Ensure that Coveo .NET Front-End 12.0.1548+ (June 2016) is installed on your SharePoint server (see"Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint" on page 61).

Note: For previous Coveo .NET Front-End releases, you can use the manual method (see "ManuallyConfiguring a .NET Search Interface Claims SSO for an On-Premises SharePoint" on page 143).

a. Coveo .NET Front-End 12.0.1633+ (September 2016) When claims will be retrieved via web requests fromthe Coveo .NET Front-End server, enable ASP.NET sessions on the Coveo .NET Front-End server both inIIS Manager and in the web configuration file:

Note: If ASP.NET sessions are not enabled, an error message will be shown to administrators in thesearch page.

4www.coveo.com 137



a. With an administrator account, log into the Coveo .NET Front-End server.

b. Open IIS Manager (see How to: Open IIS Manager).

c. In IIS Manager:

i. In the left section, under Connections, select the search site.

ii. In the middle section, double-click the Session State icon.

iii. In the Session State window:

A. If the search page is accessed via an NLB address, select the State Server or SQL Serverradio button, and then configure the IIS session state accordingly (see Session State).

Notes:

l The goal is to have all the load-balanced Coveo Front-End servers to share all sessionstates.

l It is also valid to select the State Server and SQL Server radio buttons even without anNLB.

l If you have multiple Coveo Front-End servers in NLB, the session states must beenabled on each of the servers.

B. Under Cookie Settings, change the Time-out (in minutes) parameter value to at least 540(minutes).

Note: It is recommended to set the ASP.NET session timeout value to at least 9 hours, sothat each user avoids experiencing the claims SSO authentication delay (typically a fewseconds) more than once per work day.

iv. In the right section, click Apply.

d. In a text editor, open the Coveo .NET Front-End web configuration file (by default, C:\ProgramFiles\Coveo .NET Front-End 12\Web\web.config).

e. Set the enableSessionState attribute on the pages line to true.

Example: <pages enableSessionState="true" enableViewState="true" . . .>

2. Using a browser, go to the following URL on your SharePoint WFE server (or the first SharePoint WFE server inyour farm) for which you want to configure Claims SSO:

https://SharePointFrontEndServer/_layouts/CES/ClaimsIdentityProviderSetup.aspx

where you replace SharePointFrontEndServer by the hostname of your SharePoint server.

3. If an authentication dialog box appears, enter the credentials of a valid Windows identity to gain access to thepage.

4. In the Coveo Front-end SSO Configuration page:

4www.coveo.com 138


https://msdn.microsoft.com/en-us/library/bb763170.aspx

https://technet.microsoft.com/library/hh831780.aspx


a. Under Server Administration Settings, in the Username and Password boxes, enter the credentials of alocal administrator account on your SharePoint WFE server, and then click Login.

Note: The local administrator account used only needs to have write permissions on the local drive toallow saving the configuration performed in this page. The account does not have to be a SharePointFarm Administrator or have other SharePoint permissions.

The Claims SSO Configuration section appears when your credentials are valid.

b. The next steps depend on whether you are configuring only one SharePoint WFE (or the first SharePointWFE server) or any other WFE in your farm:

l When you configure your unique or first SharePoint WFE server:

i. Next to Input Method, select Specify the Coveo .NET Front-End search page address andgenerate a claims SSO configuration.

4www.coveo.com 139



ii. In the Identity Provider URL(s) box, validate and adjust as needed the hostname of yourSharePoint web application(s).

Notes:

o When your SharePoint farm contains a few SharePoint WFEs, which are accessed via anNLB address, the NLB address must be specified.

o Coveo .NET Front-End 12.0.1633+ (September 2016) You can specify more than oneidentity provider URLs when the Claims retrieval method is via web request from the Coveo.NET Front-End server (see Claims Retrieval Method).

o Coveo .NET Front-End 12.0.1548– (June 2016) Only one Identity Provider URL can bespecified.

When multiple SharePoint WFEs in the farm are load-balanced, enter the network load-balancer(NLB) address, in the following form:

http://SharePointFrontEndServer/_layouts/CES/ClaimsIdentityProvider.aspx

where you replace SharePointFrontEndServer with the server or NLB hostname.

4www.coveo.com 140



Notes:

o When the search page is in a web application different from the default one, you may needto add a path section such as in the following example:

https://SharePointFrontEndServer/webapp2/_layouts/CES/ClaimsIdentityProvider.aspx

o Coveo .NET Front-End 12.0.1633+ (September 2016) When configuring the Claims SSO ofa search page for more than one SharePoint webapp/farm (with more than one identityprovider), the Coveo Front-end SSO Configuration page must be opened and the settingsapplied on each SharePoint server to receive the SSO configuration.

iii. In the Search Page URL(s) box, enter the URL of one or more Coveo .NET Front-End searchpages in which you want authenticated users to be able to see their SharePoint results. Entereach URL on a separate line.

When multiple Coveo .NET Front-Ends are load balanced, enter the network load-balancer (NLB)address instead. When a unique search page can be reached through more than one URL, enterall its URLs starting with the preferred one.

iv. Coveo .NET Front-End 12.0.1633+ (September 2016) In the Claims Retrieval Method, select:

o Browser redirection: to make the Coveo .NET Front-End search page redirecting thebrowser to the identity provider page in SharePoint which will then redirect the browser backto the search page with the user's claims. Select this option if your SharePoint instance usesan Okta single sign-on, so that search page users can authenticate using their Oktacredentials (see Okta Identity Provider for SharePoint Connector).

o Web request from Coveo .Net Front-End server: to make the Coveo .NET Front-End webserver calling directly the identity provider page in SharePoint to retrieve the user's claims.

v. Click Apply Settings.

vi. In the Claims SSO Configuration to Export box that fills with a long Claims configuration string,copy the string (to the clipboard) that you will paste in the configuration page of other SharePointWFE and Coveo .NET Front-End servers.

OR

l When you configure another SharePoint WFE server:

i. Next to Input Method, select the Import the claims SSO configuration from another SharePointWFE server radio button.

Note: CES 7.0.8388– (June 2016) The option name is Import the claims SSO configurationfrom another SharePoint WFE server in the same farm.

In the Claims SSO Configuration to Import box, paste the Claims configuration that yougenerated for the first SharePoint WFE server.

4www.coveo.com 141



ii. Click Apply Settings.

5. In your farm, repeat the previous steps for any other SharePoint WFE for which you want to configure theClaims SSO.

6. For each Coveo .NET Front-End that you listed in the Search Page URL(s) box:

a. Go to its Front-End Server Configuration page and use the Claims SSO for SharePoint Settings sectionto paste and import the Claims configuration (see Coveo .NET Front-End First Time Setup).

b. After applying the settings, validate that the authenticated users can see their SharePoint items in thesearch results.

7. Coveo .NET Front-End 12.0.1633+ (September 2016) When you selectWeb request from Coveo .Net Front-End server as the Claims retrieval method, open the search page and if you get the following error, you mayhave to enable the Windows authentication delegation from the Coveo .NET Front-End server to theSharePoint WFE server(s):

Error calling the claims identity provider page: System.Net.WebException: The remote

server returned an error: (401) Unauthorized.

4www.coveo.com 142



16. Manually Configuring a .NET Search Interface ClaimsSSO for anOn-Premises SharePointA Coveo .NET Front-End search interface that resides outside SharePoint must authenticate the SharePoint end-user performing the query to return SharePoint search results for which the end-user has read access inSharePoint. No SharePoint results are returned to unauthenticated users.

Note: Coveo .NET Front-End 12.0.1548+ (June 2016) The procedure described in this topic is no longer neededwith the new Coveo Front-end SSO Configuration page.

This topic describes how to configure both your SharePoint server and your Coveo .NET Front-End to provide asingle sign on (SSO) solution and automatically authenticate Claims end-users in a Coveo .NET search interfacethat reside outside SharePoint.

You can provide this seamless experience to end-users searching for secured content indexed from Claims-enabled SharePoint web applications using Windows authentication (NTLM) even when your SharePointenvironment does not use the Windows Identity Foundation (WIF).

How itWorks

The Coveo SSO solution uses browser redirections similar to what the Windows Identity Foundation (WIF) does toauthenticate users with Claims-aware web applications:

l A user accesses the Coveo .NET search interface with a browser.

l When the Coveo SharePoint Claims cookie is not available or expired, the Coveo search interface web appredirects the browser to a Coveo deployed specific web page on the SharePoint server.

l This SharePoint web page uses NTLM or Kerberos so it can retrieve the full Claims identities of the user orotherwise prompts the user to login to SharePoint.

l The SharePoint web page encrypts, packages, and sends the Claims back to the Coveo search interface webapp.

l The Coveo search interface web app receives the user Claims package, creates the cookie, and reloads theCoveo search interface page.

l The user now has the full Claims identities to perform his queries.

l The round trip may or may not be noticeable depending on your environment.

HTTPS VersusHTTP

You can configure Claims SSO for both secure (HTTPS) and non-secure (HTTP) connections. When a Coveosearch page or a SharePoint web application can be accessed from outside a firewall (Internet), HTTPS isrecommended. When Coveo and SharePoint servers can be accessed only from client machines running behindthe same firewall, both HTTP and HTTPS are good options. The examples presented in this topic arbitrarily showHTTPS connections.

4www.coveo.com 143



When the claims authentication is enabled between a Coveo Front-End and a SharePoint web application, tokensare exchanged between both servers. A token basically contains the user identity, but never contains passwords orother sensitive information. The tokens are encoded, compressed, and signed, to prevent an eventual hacker fromaltering and using them illegitimately.

Note: Coveo .NET Front-End 12.0.614 to 12.0.844 (February to June 2014) Claims SSO can be configured onlyfor secure (HTTPS) connections.

16.1 SharePoint Server Configuration

Note:When you have more than one SharePoint front-end server in your SharePoint farm, you must perform thefollowing procedure for each SharePoint front-end server.

1. Ensure that your environment meets the following requirements:

l SharePoint 2013/2010 (on-premises)

l SharePoint server web application configured in Windows Claims (NTLM or Kerberos)

l Coveo .NET Front-End 12.0.614+ (February 2014)

2. Using an administrator account, connect to the operating system of your SharePoint front-end server.

3. If not already done, deploy the Coveo integration in your SharePoint web application to ensure that at least theSharePoint Web Service option is installed (see "Installing the Coveo Web Service, Search Box, and SearchInterface into SharePoint" on page 61).

4. On the first front-end server of your SharePoint farm, create two empty files that will be filled with the private andpublic communication signing keys.

Note: The private and public keys are generated by the front-end server at the first use. You can easilyregenerate new keys simply by deleting the original key files and recreating these two empty files.

On other front-end servers of your SharePoint farm, rather paste a copy of these filled files (do not copy theempty files) to ensure that all front-end servers use the same public and private key files.

Example: The files could be:

l C:\Program Files\Coveo .NET Front-End

12\Web\ClaimsAuthenticationKeys\ClaimsAuthenticationPublicKey.bin

l C:\Program Files\Coveo .NET Front-End

12\Web\ClaimsAuthenticationKeys\ClaimsAuthenticationPrivateKey.bin

Important: Protect your private key file once it is created. This file should never be shared nor sent via email.Anyone that can access this key could use it to create his own Claims and be able to gain access to allSharePoint documents from CES.

5. Right-click the key file folder and then use its Properties to ensure that the application pool identity running the

4www.coveo.com 144



web application where Coveo is integrated has read and write access to the key files.

6. Using a text editor:

a. Open the web.config file of the SharePoint web application site.

Example: The file is typically:

C:\inetpub\wwwroot\wss\VirtualDirectories\12345\web.config

b. Under coveoEnterpriseSearch, if not already present, add a claimsAuthentication section, ensureit includes the following attributes, and then update the attributes values according to your setup:

l identityReceiverUrl="https://YourCoveoFrontEnd/ClaimsIdentityReceiver.aspx"

l identityProviderPrivateKeyPath="PathToPrivateKey"

l identityProviderPublicKeyPath="PathToPublicKey"

Example: The claimsAuthentication section looks like:

<claimsAuthenticationidentityReceiverUrl="https://YourCoveoFrontEnd/ClaimsIdentityReceiver.aspx"identityProviderPrivateKeyPath="C:\Program Files\Coveo .NET Front-End12\Web\ClaimsAuthenticationKeys\ClaimsAuthenticationPrivateKey.bin"identityProviderPublicKeyPath="C:\Program Files\Coveo .NET Front-End12\Web\ClaimsAuthenticationKeys\ClaimsAuthenticationPublicKey.bin" />

c. Coveo .NET Front-End 12.0.1459+ (March 2016) When the search page is accessed via a Network LoadBalancing (NLB) IP address, just before </coveoEnterpriseSearch>, you may have to add theassumedHttpRequestUrlScheme option in the following format:

<options assumedHttpRequestUriScheme="value" />

replacing value by either http or https.

Important: If missing, you must add the following element before the closing sectionGroup tag(</sectionGroup>) for the assumedHttpRequestUrlScheme option to be supported:

<section name="options" type="System.Configuration.SingleTagSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

Notes:

l When the option is present, the .NET UI assumes that the search page is always opened using thespecified scheme. Otherwise, the .NET UI assumes IIS detects the right scheme.

l You may also have to add the option in the Coveo .NET Front-End web.config file (see Coveo.NET Front-End Server Configuration).

l You can use this option when troubleshooting theCoveo.CES.Web.Search.Security.ClaimsIdentityException: Attempt to retrieve a

token in HTTP without supplying the main identity. error.

4www.coveo.com 145



Example: Your IIS site is configured to switch automatically in HTTPS if a browser tries to open thesearch page in HTTP, so you add (<options assumedHttpRequestUriScheme="https" />).

d. If more than one standalone Coveo Front-End server use this SharePoint web application as their identityprovider or if the standalone Coveo front-end server can be reached from multiple URLs, in the<identityReceivers> subsection, configure each one to allow them to retrieve the cookie.

Example:

<claimsAuthenticationidentityReceiverUrl="https://DefaultCoveoFrontEnd/ClaimsIdentityReceiver.aspx"identityProviderPrivateKeyPath="PathToPrivateKey"identityProviderPublicKeyPath="PathToPublicKey"><identityReceivers><add domain="CoveoFrontEnd1" url="https://CoveoFrontEnd1/ClaimsIdentityReceiver.aspx" /><add domain="CoveoFrontEnd1DifferentUrl"

url="https://CoveoFrontEnd1DifferentUrl/ClaimsIdentityReceiver.aspx" /><add domain="CoveoFrontEnd2" url="https://CoveoFrontEnd2/ClaimsIdentityReceiver.aspx" />

</identityReceivers></claimsAuthentication>

Notes:

l Coveo .NET Front-End 12.0.777+ (May 2014) The <identityProviders> subsection is supported.

l You should also leave a working identity receiver URL in the <claimsAuthentication> sectionthat will be used when the user comes from another domain.

e. Save the file.

7. Using a browser, access to the URL of the following form to test your setup:

https://YourSharePointSite/_layouts/CES/ClaimsIdentityProvider.aspx?debug=1

You should see a web page that contains various claims information. You should not see errors. The privateand public key files should now be filled with the new key data.

8. At this point, if you want, you can remove the write access of the web application pool identity to the key filespath.

16.2 Coveo .NET Front-End Server Configuration

Note:When you have more than one Coveo Front-End server in your Coveo deployment, you must perform thefollowing procedure for each Coveo Front-End server.

1. Using an administrator account, connect to the operating system of your Coveo .NET Front-End server.

2. Copy the public key file created on your SharePoint front-end server and paste it to the Coveo Front-Endserver.

4www.coveo.com 146



Example: On the Coveo .NET Front-End server, you can copy the file to:

C:\Program Files\Coveo .NET Front-End

12\Web\ClaimsAuthenticationKeys\ClaimsAuthenticationPublicKey.bin

Note: The public key file does not have to be secured like the private key file. It can safely be shared on a fileshare or sent by email.


a. Open the Coveo .NET Front-End web.config file.

Example: The file is typically:

C:\Program Files\Coveo .NET Front-End 12\Web\Web.config

b. Under coveoEnterpriseSearch, if not already present, add a claimsAuthentication section, andensure it includes the following attributes, and then update the attributes values according to your setup:

l identityProviderUrl="https://YourSharePointSite/_

layouts/CES/ClaimsIdentityProvider.aspx"

l identityValidatorPublicKeyPath="PathToPublicKey"

Example: The claimsAuthentication section looks like:

<claimsAuthentication identityProviderUrl="https://YourSharePointSite/_layouts/CES/ClaimsIdentityProvider.aspx" identityValidatorPublicKeyPath="C:\ProgramFiles\Coveo .NET Front-End 12\Web\ClaimsAuthenticationKeys\ClaimsAuthenticationPublicKey.bin"/>

c. Coveo .NET Front-End 12.0.1459+ (March 2016) When you add the assumedHttpRequestUrlSchemeoption in the web.config file of the SharePoint web application site, just before</coveoEnterpriseSearch>, specified the same option and value.

Example: Your IIS site is configured to switch automatically in HTTPS if a browser tries to open thesearch page in HTTP, so you add (<options assumedHttpRequestUriScheme="https" />).

d. If not already present, as shown in the following file sample, add the Coveo.CES.Web.Search.Securitynamespace.

<configuration><system.web><pages><namespaces>...<add namespace="Coveo.CES.Web.Search.Security" />...

</namespaces></pages>

</system.web></configuration>

4www.coveo.com 147



Note: CES 7.0.6339– (January 2014) You need at least two CES upgrades subsequent to theCES 7.0.6424 (February 2014 monthly release) or a fresh install of the Coveo .NET Front-End to see theCoveo.CES.Web.Search.Security namespace.

e. Save the file.

4. Using a browser, access your Coveo .NET search interface using the real hostname of the server, notlocalhost.

Example: The Coveo .NET search interface page URL is typically:

https://YourCoveoFrontEndServer/

The first time you access the .NET search interface with a given browser, a security cookie is created (see "Howit Works" on page 143).

Note:When your SharePoint server is configured to prompt the users for a password, the user will have toenter its SharePoint password in the process.

5. Perform the first-time setup to configure the Coveo .NET Front-End (see "Coveo .NET Front-End First TimeSetup" on page 74).

6. In the Coveo .NET search interface, verify that you have access to all your secured SharePoint documents.When the scope of the .NET search interface includes non-SharePoint content, also verify that you have accessto this content.

4www.coveo.com 148



17. Configuring the Claims-Aware Coveo Search ApplicationThis topic describes how to set up a Coveo search application to allow a seamless experience for Coveo end-userssearching for secured content indexed from Claims-Enabled SharePoint web applications. A Claims-aware Coveosearch application allows Claims-authenticated users to not have to log in to the Coveo .NET search interfaceoutside of SharePoint to see search results matching their Claims.

Note: A better SSO solution that works with or without ADFS is now available (see "Manually Configuring a .NETSearch Interface Claims SSO for an On-Premises SharePoint" on page 143).

Requirements:

l SharePoint web applications must be using ADFS 2.0 as a Trusted Identity Provider.

l Configuration will be required on the ADFS server used by SharePoint in order for Coveo search users to beauthenticated by ADFS.

l The Coveo SharePoint web service must be installed on your SharePoint server (see "Installing the CoveoWeb Service, Search Box, and Search Interface into SharePoint" on page 61).

Limitation:

l Claims-Based SharePoint web applications using Windows authentication (NTLM or Kerberos) will still requireusers to enter their Windows credentials in the Coveo Search prior to the initial search.

The procedure consists of the following steps:

l "Step 1: Enabling Claims Authentication on the Coveo Search Site" on page 149

l "Step 2: Creating the Coveo Relying Party Trust" on page 151

l "Step 3: Editing Claims Rules for the Coveo Relying Party Trust" on page 151

l "Step 4: Editing Claims Rules for the SharePoint Relying Party Trust" on page 152

l "Step 5: Configuring the Coveo Service Account for ADFS Identity Delegation" on page 152

l "Step 6: Performing the First-Time Setup on the Coveo Search Site" on page 153

17.1 Step 1: Enabling Claims Authentication on the Coveo Search SiteEnabling Claims authentication on a search site consists mainly in modifying the web.config file of the searchwebsite using the FedUtil.exe tool that comes with the Windows Identity Foundation (WIF) SDK.

1. Using an administrator account, login to the Coveo Front-End server.

2. In IIS, add an HTTPS binding to Coveo .NET Front-End web site.

3. Download and install the WIF SDK for Microsoft .NET Framework 3.5 (see Windows Identity Foundation SDK).

4www.coveo.com 149


http://www.microsoft.com/en-ca/download/details.aspx?id=4451


Note:WIF is included in Microsoft .NET Framework 4.5, but currently, Coveo assemblies rely on the Microsoft.NET Framework 3.5.

4. Start FedUtil.exe that is typical in C:\Program Files (x86)\Windows Identity Foundation

SDK\v3.5\.

Note: For the details on the FedUtil.exe tool refer to the Microsoft documentation (see Establishing Trustfrom an ASP.NET Relying Party Application to an STS using FedUtil).

a. In the first screen, specify the path to the web.config file (by default: C:\Program Files\Coveo .NET

Front-End 12\Web\) and the URL to the search page with a slash at the end (ex.:https://machinename/).

b. In the second screen:

i. Select the Use an existing STS option and then specify the URL of the federation metadata document(ex.: https://adfs01.mycompany.com/FederationMetadata/2007-06/FederationMetadata.xml).

ii. Click Test location to validate that the URL is valid.

c. In the third screen, select the option that corresponds to whether certificate chain validation should beenabled or not.

d. In the next screen, select the option that corresponds to whether security tokens should be encrypted ornot.

e. In the next screen (claim list), click Next.

f. In the final screen, click Finish.

Note: The important file to configure the trust relationship in ADFS is: [coveo_web_site_folder]\FederationMetadata\2007-06\FederationMedatada.xml

5. In Internet Information Services (IIS) Manager:

a. Ensure that theWindows Authentication is enabled on the search site by clicking the site in the tree viewto the left, and then > IIS > Authentication.

You may need to disable all the other authentication methods for Claims authentication to work.

b. For Claims authentication to work, the application pool pipeline mode must be Integrated (not Classic).Ensure that the website is using an application pool that is configured correctly. Either modify theapplication pool (if only the Coveo search site is using it) or create a new application pool and make thewebsite using it:

i. Click the site in the tree view to the left > Basic Settings.

ii. Click Application Pools almost at the top of the tree view to the left > click on the application pool inthe list > Basic Settings.

4www.coveo.com 150


http://msdn.microsoft.com/en-us/library/ee517285.aspx

http://msdn.microsoft.com/en-us/library/ee517285.aspx


Important: In IIS, the searchAdmin site under Coveo .NET Front-End 12 corresponds to the .NET searchinterface and by default shares the CESAppPool Front-End application pool with the Coveo .NET Front-End 12 site (the search page). The application pool pipeline mode must stay to Classic for the searchAdminsite (the .NET search interface) to work, otherwise a user will get the following message when trying to accessthe .NET search interface:

Server Error in Application "COVEO .NET FRONT-END 12/SEARCHADMIN"

HTTP Error 500.24 - Internal Server Error

An ASP.NET setting has been detected that does not apply in Integrated managed

pipeline mode.

The solution is to create another application pool, assign it to the searchAdmin site, and ensure theapplication pool pipeline mode is set to Classic.


a. Open the web.config file.

b. Under <microsoft.identityModel>, locate the <service> tag.

c. Add the "saveBootstrapTokens" attribute as follows:

<microsoft.identityModel><service saveBootstrapTokens="true">

17.2 Step 2: Creating the Coveo Relying Party Trust1. Login to the ADFS server which is used as an Identity Provider by SharePoint, hereafter called the Identity

Provider ADFS server.

2. Launch AD FS 2.0 Management Console.

3. Select AD FS 2.0 > Trust Relationships.

4. Right-click Relying Party Trusts and then select Add Relying Party Trust.

5. In the new window, select the Import data about the relying party from a file option.

6. Select the FederationMetadata.xml file that was previously obtained in Step 1, and then click Next.

7. Enter a Display Name such as Coveo Claims-Aware Search Site, and then click Next.

8. Select Permit all users to access this relying party, and then click Next.

9. Validate settings on the final page and then click Next to create the new Relying Party Trust.

17.3 Step 3: Editing Claims Rules for the Coveo Relying Party Trust1. Select AD FS 2.0 > Trust Relationships.

2. Right-click the Coveo Relying Party Trust and then select Edit Claim Rules.

3. Under Issuance Transform Rules:

4www.coveo.com 151



a. Create a new Pass Through or Filter Incoming Claims rule.

i. Name = Pass through Windows Account

ii. Incoming Claim Type = Windows Account Name

iii. Pass through all claims values = true

b. Click Finish.

4. Under Issuance Authorization Rules, ensure a Permit Access to All Users rule exists, if not create one.

17.4 Step 4: Editing Claims Rules for the SharePoint Relying Party Trust1. Select AD FS 2.0 > Trust Relationships.

2. Right-click the SharePoint Relying Party Trust, and then select Edit Claim Rules.

3. Under Issuance Authorization Rules, ensure a Permit Access to All Users rule exists, if not create one.

4. Under Delegation Authorization Rules, add a new Permit Access to All Users rule or choose to permit aspecific user.

5. Under Issuance Transform Rules, for each existing rules of the Relying Party Trust and the Claims ProviderTrust:

a. Click Edit Rule > View Rule Language.

b. If the rule language does not contain a check for Issuer == "AD AUTHORITY", skip to the next existingrule, otherwise keep going.

c. Copy the rule language.

d. Close the Edit window for the current Rule.

e. Create the new Relying Party Trust rule using the copied rule language:

i. Click Add Rule > Send Claims Using a Custom Rule.

ii. Paste the rule language and replace AD AUTHORITY by SELF AUTHORITY.

17.5 Step 5: Configuring the Coveo Service Account for ADFS IdentityDelegation1. Log on to Coveo Back-End server.

2. Open the Coveo Administration Tool.

3. Select Configuration > Security > Security Providers, and then click the Claims for SharePoint On-premisessecurity provider that is used to authenticate to ADFS.

4. In the User Identity box, add the identity of any Windows account that can be used to authenticate to ADFS.

4www.coveo.com 152



Note: This account does not require any special permissions on the ADFS server, it is only used to connect toADFS when performing delegated authentication.

17.6 Step 6: Performing the First-Time Setup on the Coveo Search SitePoint your browser to the Coveo search site. If the site has been properly configured for Claims, the browser shouldnow be redirected automatically to the ADFS authentication site, then back to the search site, and then to the first-time setup page.

In the first-time setup page (see "Coveo .NET Front-End First Time Setup" on page 74), ensure to fill the options inthe Claims section correctly by selecting the claim type that contains the Windows identity(ex.: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname). Uponcompletion, the Claims options are saved in the web.config file.

Back to the search page, execute a query. In an interface showing results from a Claims-authenticated source suchas SharePoint, results should now show up. In the same manner, queries in the All Content interface should nowinclude results from the Claims-authenticated source.

4www.coveo.com 153



18. Configuring SharePoint Search ScopesCoveo .NET Front-End 12.0.960+ (September 2014)

SharePoint 2016 (Coveo .NET Front-End 12.0.1633+ (September 2016)), 2013, and 2010 allow SharePointadministrators to define search scopes to allow users to choose to limit their searches to certain criteria such aslocations or content marked with particular property values (see Microsoft article Define scopes for searches).

A SharePoint site administrator can define SharePoint scopes even with limited access to SharePoint front-endservers. SharePoint scopes are saved directly in the SharePoint database at the site collection level. Along with thescopes themselves, a default scope configuration can be created at the site collection level. SharePoint scopes aresent to the CES index at query time, as query expressions. Because SharePoint scopes exist only in SharePoint,they can only be used from inside SharePoint pages. A Coveo search page not integrated to SharePoint cannotuse them.

Note: The support for SharePoint scopes is different from the Coveo search scope that are defined on the CoveoMaster server and used in Coveo .NET Front-End user interfaces. An administrator managing Coveo searchscope must have access to Coveo Administration Tool and the Coveo .NET Front-End Interface Editor.

Functionally speaking, SharePoint scopes behavesimilarly to Coveo search scopes. In SharePoint, theyappear in the scope drop-down list beside the Coveosearch box and in the Search In facet in the resultspage. When a user selects a SharePoint scope,documents are filtered in or out according to theSharePoint scope configuration.

To configure SharePoint Search Scopes

1. Ensure that Coveo .NET Front-End version 12.0.960+ (September 2014 monthly release) is installed on yourSharePoint server (see "Installing the Coveo Web Service, Search Box, and Search Interface into SharePoint"on page 61).

2. Access SharePoint with a site administrator account.

3. In any SharePoint page containing a Coveo search

box, click the gear icon next to the search box,and then select one of the following options:

4www.coveo.com 154


http://office.microsoft.com/en-ca/sharepoint-server-help/define-scopes-for-searches-HA010241119.aspx#BMha10241119_secmanagescopes


l Current site collection's scopes to define or modify the default site collection scopes used by default byevery site.

l Current site's scopes ([SiteName]) to define a scope configuration applicable only to the current site([SiteName]), overriding the inherited default.

Notes:

l Alternately, in a Coveo .NET Front-End searchinterface integrated in SharePoint, from the Domore menu, you can select the same options.

l The gear icon and the Domore menu Currentsite collection's scopes option are not availableto non administrator users.

4.

In the Search Scopes (Site Collection Default) orSearch Scopes (Current Site) dialog box, you canperform various actions.

l To use default scopes for a specific site, select the Use default scopes (site collection) option.

l To specify which scopes are available to end-users, in the Name column, select the checkbox in front ofthe scope(s) names to make available.

l To specify the default scope, in the Default column, select the appropriate scope.

l To make selected scopes visible to end-users:

4www.coveo.com 155



o Select the Show scope selector drop-down nextto search box option to make scopes availablein SharePoint from a list next to the search box.

Note: By default, the following standard scopes are not included in the scope selector drop-down:All SharePoint, Current SharePoint site, Current SharePoint top level site, All Results, and all thesearch scopes defined in the Administration Tool.

To include these scopes in the scope selector drop-down, you must edit the SearchBox.ascx file ofthe SharePoint skin:

a. With an account that has administrator rights, access the SharePoint server.

b. Open the SearchBox.ascx file with a text editor.

Depending on your SharePoint version, the file is located in C:\Program Files\Coveo .NET

Front-End 12\Web\Coveo\Skins\SharePoint 2010 or in C:\Program Files\Coveo

.NET Front-End 12\Web\Coveo\Skins\SharePoint 2013.

c. Remove the following method from the file:

protected override void OnInit(EventArgs p_Args){

ISearchBox sb = Parent.Parent as ISearchBox;if (sb != null) {

sb.ShowStandardScopes = false;}base.OnInit(p_Args);

}

d. Save the file.

o Select the Show scope selector facet in searchinterface option to make scopes available in theSearch In facet of a Coveo .NET Front-Endsearch interface integrated in SharePoint.

l To create a new scope or edit an existing one:

Click Create Scope to create a new scope or click the Edit Scope icon to edit an existing one, and thenin the Search Scope Modification dialog box, configure the scope:

4www.coveo.com 156



a. In the Name box, enter a meaningful name for the scope. End-users will see this name in the lists ofavailable SharePoint scopes.

b. In the Description box, optionally enter a description for the scope. This information is only visible toadministrators.

c. Click Add Rule when you want to add a new rule to the scope.

d. In the Rules list, for each rule:

i. In the first column, select one of the available rule types:

o Web Address

A web address rule is used to restrict the scope to only search from a specific SharePointserver part.

Example: You enter https://intranet.mycompany.com/HumanResources/ to create ascope restricted to human resources content.

o Field

A field rule is used to match the documents for which a given field has a specific value. In afield rule, you can only use fields for which the Include for field queries option is selected inthe Administration Tool. While you type the field name, an auto completion pop up windowsuggests the available field names matching typed characters.

Example: A scope with the following field rule would return only PDF files.

@sysfiletype = pdf

o Free Text

The free text rule value is added as-is to the query sent to the index. Only documentscontaining the entered keywords are returned. If more than one word is specified, only thedocuments that contain all the words are returned.

4www.coveo.com 157



The free text rule can be particularly useful to enter more complex queries using variousquery syntax elements.

Example: A scope with the following query, using fields and a Boolean operator, wouldreturn only PDF files from the Engineering site.

@sysspsitename="Engineering" AND @sysfiletype="pdf"

ii. In the middle column of the list, enter or select appropriate values for the rule type.

iii. In the second-to-last column, select the action determining how each rule combines with others toform the final scope:

o Require (AND)

Use this action to narrow search results to documents matching the rule criteria.

o Include (OR)

Use this action to expand search results by adding documents matching the rule criteria.

o Exclude (NOT)

Use this action to narrow search results by excluding documents matching the rule criteria.

iv. Click the Delete Rule icon to delete a rule from the scope.

e. Click Save to save your scope configuration.

l To delete an existing scope, click the Delete Scope icon for the scope.

l Click Apply to make your search scope changes effective.

4www.coveo.com 158



19. Integrating the Coveo .NET Search Box inMy Site forSharePoint 2013 and 2016You can replace the Microsoft search box by the Coveo .NET search box for the My Site pages. On eachSharePoint 2013 and 2016 front-end server, perform the following procedure to edit the template that applies thechanges to the My Site page for all users.

To integrate theCoveo .NET search box in all MySite pages

1. Using an administrator account, log in to the SharePoint 2013 or 2016 front-end server.

2. Enable the Coveo Search Box feature for the My Site pages (see "Activating or Deactivating the Coveo .NETSearch Box in a SharePoint Site" on page 67).

Note: Enabling the Coveo Search Box feature from My Site will not enable it for other pages.

Example: To replace the search boxes in the Home page, you must enable the Coveo Search Box featurewhen you click on the Site Setting while being on the Home page.

With SharePoint 2013, enabling the Coveo Search Box feature will unfortunately not be enough to replace allthe Microsoft default search boxes in My Site. You also need to modify three files as described in the followingsteps.

3. Using a text editor, open the C:\Program Files\Common Files\Microsoft Shared\Web Server

Extensions\15\TEMPLATE\FEATURES\MySiteUnifiedNavigation\mysite15.master file, and then:

a. At the beginning of the file, after the last existing <%@ Register TagPrefix="... line, add the followingline:

<%@ Register TagPrefix="cessp" Namespace="Coveo.CES.Web.Search.SharePoint.Controls"Assembly="Coveo.CES.Web.Search.SharePoint, Version=12.0.0.0, Culture=neutral,PublicKeyToken=44110d16825221f2" %>

b. Towards the end of the file, replace the following code segment:

<div id="searchInputBox"><SEARCHWC:SearchBoxScriptWebPart runat="server" id="searchInputBox"DefaultDropdownNodeId="1001" ServerInitialRender="true" UseSharedSettings="true"ChromeType="none" EmitStyleReference="false"/></div>

with the following code segment:

<div id="searchInputBox"><cessp:SharePointSearchBox runat="server" />

</div>

c. Save the file.


Extensions\15\TEMPLATE\SiteTemplates\SPSMSITEHOST\default.aspx file (default location), andthen:

4www.coveo.com 159






<div id="searchInputBox" class="ms-mpSearchBox ms-mysite-searchBox"><SEARCHWC:SearchBoxScriptWebPart runat="server" id="searchInputBox"

DefaultDropdownNodeId="1003" ServerInitialRender="true" UseSharedSettings="true"ChromeType="none" EmitStyleReference="false"/><SPSWC:MySiteSearchBoxDefaultOverride DefaultId="1003" runat="server" />

</div>


<div id="searchInputBox" class="ms-mpSearchBox ms-mysite-searchBox"><cessp:SharePointSearchBox runat="server" />

</div>

c. Save the file.


Extensions\15\TEMPLATE\FEATURES\SocialDataStore\SocialDataStoreList\sites.aspx file(default location), and then:




<div class="ms-contentFollowing-searchBox ms-tableCell ms-verticalAlignTop"><SEARCHWC:SearchBoxScriptWebPart runat="server" id="searchInputBox"

DefaultDropdownNodeId="1001" ServerInitialRender="true" UseSharedSettings="true"ChromeType="none" EmitStyleReference="false"/></div>


<div class="ms-contentFollowing-searchBox ms-tableCell ms-verticalAlignTop"><cessp:SharePointSearchBox runat="server" /></div>

c. Save the file.

6. Reload the My Site page of a user to verify that the Coveo search box is now appearing in the top navigationsection of the page.

7. Repeat the procedure for each SharePoint 2013 or 2016 front-end server.

4www.coveo.com 160

Documents

Coveo Platform7.0 - Microsoft SharePoint Connector Guidedownload.coveo.com/onlinehelppdfs/CES70-Microsoft... · 2019-01-07 · CoveoPlatform7.0|MicrosoftSharePointConnectorGuide 14.1ModifyingHiddenMicrosoftSharePointSourceParameters