Windows authentication and trust delegation
In order for document level security to work, it is necessary for the search server to pass the user credentials that it has obtained onto the server from which the documents are retrieved from (a fileshare, a TRIM server, etc.) in order to check against the relevant security information. Windows explicitly disallows this when using Integrated Windows Authentication, unless the search server has been allowed to delegate credentials.
Please note that only Kerberos and Basic authentication permit delegation. NTLM doesn't permit credential delegation. If using Basic HTTP Authentication it is highly recommended that the search interface also be set up to use SSL encryption because without this, passwords will be sent across the network in the clear.
Delegation to allow the search server to delegate user credentials to the file servers is set up in the active directory management console on the domain controller.
URL used by the client
For trust delegation to work properly from the client side, the Funnelback server must be accessed:
- Using its short name, such as http://server/s/search?collection=...
- Or if using its Fully Qualified Domain Name (http://server.company.com/s/search?collection=...) the Funnelback server must have been included in the "Local Intranet" zone in Internet Explorer
It's also worth noting that other web browsers will require specific settings to allow trust delegation to function.
If you do not set up an authentication mechanism for the search interface, there will be no real document level security. In actual fact it will act as if the logged in user is the windows LOCAL SERVICE account.