Secure search of Windows trusted domains

To enforce document-level security for remote Windows file systems, the Watson Explorer Content Analytics system supports access control list (ACL) verification across trusted domains.

Configuring the crawler

To configure the Windows file system crawler to support trusted domains, you must specify options in a new configuration file. There is no support for configuring this capability in the administration console.

To support the document-level security across trusted Windows domains, edit the following file:
```
ES_NODE_ROOT/master_config/session_ID/winfscrawler_ext.xml
```
Tip: To determine the session ID for the Windows file system crawler that you want to configure, you can monitor the crawler details in the administration console or use the esadmin report collections command.

Specify the Windows domain name and the NETBIOS name of the Active Directory. For example:

<ExtendedProperties>
  <SetAttribute XPath="/Crawler/DataSources/Server/Target" 
   Name="Domain">ExampleCo.com
  </SetAttribute>
  <SetAttribute XPath="/Crawler/DataSources/Server/Target" 
   Name="NetBIOSDomain>EXC1
  </SetAttribute>
</ExtendedProperties>

Stop and restart the crawler for the changes to become effective.

Restrictions

Documents cannot include ACLs from multiple Windows domains. Domain users and groups must belong to one Windows domain per collection.
To support remote file system access verification, the Windows servers must run in the same Windows domain or in trusted Windows domains.
The Windows file system crawler reads the NETBIOS name of the Active Directory associated with the Windows server to be crawled and uses the NETBIOS name to filter the file ACL. The Active Directory that the crawler server joins trusts the other Active Directory that defines user accounts and group accounts.
The user account that you specify for the crawler to use to access a remote Windows server must belong to the Windows domain where you want to enforce and verify access control.
The Windows operating system allows only one account to connect network folders on one file server. Other accounts cannot connect to the same file server at the same time. Therefore, you cannot configure different accounts for different crawlers to crawl the same Windows server, even if the crawlers are in different collections.