The Google Appliance and Forms Authentication


I’ve been working with a client to implement the Google Appliance on one of their sites that has forms authentication enabled.

For those of you who aren’t aware, Google provides a box that you can install to index your own site using essentially the same logic that Google uses to index the Internet.  The advantage is that you have a lot more control over what gets indexed and when it gets indexed than if you just use what Google provides from its public index of the Internet.

The problem we had was that Google is not particularly fond of ASP.NET Forms Based authentication.  We had a contact at Google who was supposed to help us get this working, but it just doesn’t.

What made our implementation even trickier, and worth pursuing the Google way, was that depending on who you are you shouldn’t be able to see some of the content.  So it wasn’t just a matter of getting the site indexed, the results had to be different depending on who was logged in.  We got past this by just indexing the site into a different database for each type of user.  We switch which database we look at based on the role of the user.

But there was still the matter of getting the index built in the first place.  We had tried providing an alternate form that Google could use, but for whatever reason, that didn’t seem to work.

What we ended up doing was setting a cookie at the Google Appliance that the the site would look at during the request process, specifically during the Application_AuthenticateRequest event.  I put the code in Global.asax file, but you can create a handler for it if you want.

Here’s the code:

void Application_AuthenticateRequest(object sender, EventArgs e)
    HttpCookie  o =
    if (o != null)
        System.Security.Principal.GenericIdentity id =
            new System.Security.Principal
        Context.User =
            new System.Security.Principal
                .GenericPrincipal(id, null);

All this does is look for the cookie and set the current user name to the value that is in the cookie.  This is enough for .NET forms authentication to think the user is logged in.

Our role information is retrieved using a property in a class so in the code that looks to see what role the user is a part of, we look at the username and hard wire the role based on that user.

Hope this helps someone else save some time implementing this.

Other places talking about Forms Authentication and the Google Appliance

Google Search Appliance Secure Content Serving Issue – The box sends a HEAD request for NTLM (and GET request for form authentication) and gets the authorization result by that. We sent a cURL request to the box using the following command: curl -I -G –ntlm -u “NTLM Username:NTML Password” …

Writing an AJAX Google Search Appliance Connector – Part 1: PHP … – However, this has an adverse side effect when you want to use security trimming because you have to establish kerberos trusts or pass forms authentication cookies or redirects to SAML interfaces. I’m interested in seeing part 2. …

ASP.NET Site – Forms Authentication with Google Search Appliance – The Google Search Appliance says it supports forms authentication. Does anyone know if I should buy a Single Sign On product to use forms authentication with the search? # Solution 1. Our team did a thorough analysis of the search …

Google Search Appliance: Benefits for enterprise content … – Integrate with LDAP, NTLM, Windows Integrated Authentication, forms-based single sign-on security systems, including Oracle Access Manager and CA SiteMinder, to enable seamless secure searching. Perficient has been a Google Enterprise …

Google Search Appliance @ Google « Netwiz – Blog – Security – Met het oog op de security wordt momenteel door Google zelfs naar de blackbox-authorisatie van Novell gekeken! Active Directory (AD), LDAP, forms authentication en diverse andere authorisatie-systemen worden standaard …

Related Post

6 Responses to “The Google Appliance and Forms Authentication”

Leave a Reply

Comment Policy:

  • You must verify your comment by responding to the automated email that is sent to your email address. Unverified comments will never show.Leave a good comment that adds to the conversation and I'll leave your link in.
  • Leave me pure spam and I'll delete it.
  • Leave a general comment and I'll remove the link but keep the comment.

Notify me of followup comments via e-mail