I have made a restservice that combines data from different origins on a local environment. One of the origins is an onprem SharePoint 2019 where I need to use the rights from the user that accesses the restservice. I am using impersonation for that and if I debug from Visual Studio through IIS express it works fine.. but when I publish it to IIS it doesn't.
In the web.config I have added
<identity impersonate="true" />
And my test code is this..
SPSecurity.RunWithElevatedPrivileges(delegate ()
{
using (WindowsImpersonationContext impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate())
{
try
{
values.Add(System.Security.Principal.WindowsIdentity.GetCurrent().Name);
SPSite sPSite = new Microsoft.SharePoint.SPSite(ConfigurationManager.AppSettings["SPUrl"]);
values.Add(sPSite.RootWeb.CurrentUser.Name);
values.Add(sPSite.RootWeb.Title);
}
catch (Exception ex)
{
values.Add(ex.Message);
}
}
});
I just return an array of information and the values are
impersonated username - OK
the name of the current user - Ok
the title of the rootweb - access denied
error if it fails.. and it does.
We have tried to set spn on the server. But that's still not enough.
Related
I have followed this tutorial to secure Azure SQL Database connection from App Service using a managed identity.
Everything is working as expected in Azure, but when I am trying to debug the code locally I am getting below error message while opening the connection.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I found few references where they have mentioned we can use 'Azure Service Authentication' extension to debug locally.
I have logged into my Azure account in 'Azure Service Authentication' extension. But, still I am getting the error.
public IActionResult GetData()
{
var result = "connection opened.";
var test = config.GetSection("ConnectionStrings")["MyDbConnection"];
SqlConnection sql = new SqlConnection();
sql.ConnectionString = test;
sql.AccessToken = (new AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result; //No issues while fetching the token.
try
{
//Getting exception here when running locally...
//Same code is working in Azure Webapp.
sql.Open();
}
catch (Exception ex)
{
result = $"Error : {ex.Message}";
}
finally
{
if ( sql != null && sql.State == System.Data.ConnectionState.Open )
{
sql.Close();
}
}
return Ok(result);
}
Other Details:
Visual Studio 2019 Community - Version 16.1.0 Preview 3.0
.NET Core 2.2
UPDATE 1:
This post talk about connectionString parameter for AzureServiceTokenProvider class. I tried providing RunAs=Developer; DeveloperTool=VisualStudio value for connectionString but still facing same issue.
Got below answer on Microsoft forum
Hello Hemant
I can see from the screenshot that you are logged in to Visual Studio with your Live ID.
Is the database created in a tenant associated with a work account?
Which user is set as AAD Admin on the Azure SQL Server?
The user account with which you are logged in to VS should be added as a user on the database for the authentication to work.
Alternatively, in the same article the you referenced, there is a section that talks about creating an AAD group and granting appropriate permissions.
You can add your user to the AAD group as well.
Please let us know if you have further questions.
Proposed as answer by Kalyan Chanumolu-MSFTMicrosoft employee, Moderator Wednesday, May 22, 2019 3:55 AM
Marked as answer by Hemant.Shelar Wednesday, May 22, 2019 4:22 AM
Wednesday, May 22, 2019 3:55 AM
Note: I was able to get it done by creating AAD group and granting appropriate permissions.
UPDATE 1:
I have followed below steps to get it work. Let me know if there exists any other possible solution
Created a AAD group e.g. 'hemantdotnetcore1'
Add users to this group ( generally these users will be developers
in DEV environment who want to access the database during
development )
Navigate to the SQL server instance and set 'Active Directory
admin'. In this example I have added 'hemantdotnetcore1' as a
active directory admin.
In visual studio navigate to 'Azure Service Authentication' and
log in with any one user who is part of group 'hemantdotnetcore1'
which is my Azure Active Directory Admin'
Now I can use below toke to open connection with the SQL Server.
sql.AccessToken = (new AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
In Module 2 of the MVA course Building Blocks and Services of the SharePoint Platform titled ‘Deep Dive into SharePoint Lists for Data Storage’ (at about 45 minutes in) Ted Pattison did a demo of using a console app to create a list on a SharePoint Online site. The course is at http://www.microsoftvirtualacademy.com/training-courses/deep-dive-building-blocks-and-services-of-sharepoint
I’m trying to do the same in my environment but I’m having trouble.
In the demo he went to _layouts/15/AppRegNew.aspx to register a new app in the app registry. In the demo, at the top of the page there was an ‘App Type’ radio Button list with the options ‘An app running on the web Server’ and ‘An App running on a client machine’. When I access this page on my site, there is no such radio Button List. Also in the demo, Ted left the Redirect URL blank. On my site it is required:
So to get past this I entered the URL for my site (https://mydomain.sharepoint.com/sites/test). The app ID was created successfully:
I then went to _layouts/15/AppInv.aspx to give the app security. I pasted in the CAML to give the app read access to the web:
<AppPermissionRequests>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read" />
</AppPermissionRequests>
And then trusted the app by Clicking Trust It:
I then copied the values from the App registration into my app.config:
<add key="targetSiteUrl" value="https://xxxxx.sharepoint.com/sites/test"/>
<add key="clientId" value="bf4c37ef-9202-41ba-8430-3983cba26285"/>
<add key="clientSecret" value="nKGefHSvT69Ls2rwq1AIVyyHkIwlBzT9UkpbJMUcIbw="/>
<add key="deleteOnly" value="false"/>
And then created code based on what was in the demo to get the webs title:
static void Main(string[] args)
{
string siteUrl = ConfigurationManager.AppSettings["targetSiteUrl"];
bool deleteOnly = ConfigurationManager.AppSettings["deleteOnly"].Equals("true");
Uri siteUri = new Uri(siteUrl);
string realm = TokenHelper.GetRealmFromTargetUrl(siteUri);
var accessToken = TokenHelper.GetAppOnlyAccessToken(TokenHelper.SharePointPrincipal,
siteUri.Authority, realm).AccessToken;
using (var clientContext = TokenHelper.GetClientContextWithAccessToken(siteUrl, accessToken)) {
var web = clientContext.Web;
clientContext.Load(web);
clientContext.ExecuteQuery();
Console.WriteLine(web.Title);
}
}
The code above gets the realm and the access token and successfully creates the clientContext, But when I run the executeQuery I always get the error Microsoft.SharePoint.Client.ServerUnauthorizedAccessException. I have tried giving the app ID full control of the Web, the Site Collection and the Tenant, but I still get the same error.
How do I get my console app to have update access to my site?
I needed to set AllowAppOnlyPolicy when adding the permissions in appinv.aspx
<AppPermissionRequests AllowAppOnlyPolicy="true" >
Two days ago, everything was working fine. Now when I try to add an item from my web part it is giving a 403 forbidden access denied error.
Also, I am using run with elevated privileges to insert records. It was working. Now I can manually add items, but from my web part it is not working. Also, I am not able to edit publishing pages.
SPSite site = SPContext.Current.Site;
SPWeb web = SPContext.Current.Web;
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite ElevatedSite = new SPSite(site.ID))
{
using (SPWeb ElevatedWeb = ElevatedSite.OpenWeb(web.ID))
{
// Code Using the SPWeb Object Goes Here
}
}
});
Check if your password has expired by connecting to your sharepoint site with a browser. I have had this issue twice already, twice it was a expired password problem.
(note: I will remove this answer if not relevant)
I have a DEV environment where I develop my code and I use a local Sharepoint.
I have a TEST environment where I deploy my application and use a Sharepoint on the TEST server.
I am using Sharepoint 2010.
I have a client object model that I am using to save a document in a sharepoint server.
I am using the Microsoft.Sharepoint.Client library for the following code;
public void Save(byte[] file, string url)
{
using (var context = new ClientContext(this.SharepointServer))
{
var list = context.Web.Lists.GetByTitle(this.DocumentLibrary);
var fileCreationInformation = new FileCreationInformation
{
Content = file,
Overwrite = true,
Url = url
};
var uploadFile = list.RootFolder.Files.Add(fileCreationInformation);
uploadFile.ListItemAllFields.Update();
context.ExecuteQuery();
}
}
}
When I run this code in my development environment, the document is saved on the Sharepoint as intended.
When I deploy to the test environment when the document is saved to a different Sharepoint server, I get the following exception:
Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: Access denied. You do not have permission to perform this action or access this resource.
So there is a permissions issue here.
However when I change my code on the development server to save the document to the Sharepoint on the Test server, it works. The same Sharepoint that would not save the document from my deployed application on Test. I am also logging in with forms authentication with the same user name and password.
So why might this happen and where should I look to fix it?
I found what I was missing
I needed to set the credentials for the context;
context.Credentials = new NetworkCredential(this.UserName, this.Password, this.Domain);
I'm trying to run a console application that uses the SharePoint Object Model.
I'm getting the error Cannot open database "dbname" requested by the login. The login failed. Login failed for user 'DOMAIN\userid'.
Some place I have read that the user must have permission to the Content DB.
I can not find an article that explains what permissions to setup. I need this as ammunition to go to my Sys Admin guy to get the permission setup.
Where is there an article that explains that? I have searched google but with no luck.
RunWithElevatedPrivileges doesn't help because it just changes the thread user to the process identity - in a console application, this has no effect because they're the same. The "elevation" in an impersonated web context works because the process identity is the application pool account, which has db_owner on its content database.
If I ask that the account I'm using be given Full Control, under the Policies for Web Application, should that work?
Not according to Ishai Sagi: Object model code and stsadm fail with "Access Denied". In short, it seems db_owner permissions on the content database are required for a user to run object model code (including STSADM) without a web context.
Are you running the console application on the server itself? I assume so.
In this case it is likely to be a permissions issue with the account you are using (RDP?) on the server. The database error side of things can be misleading as you will need to be permissioned within SharePoint itself, which will then give permissions to the database.
I would get your sys admins to create a service account for you to use that can be granted the correct rights. (site collection administrator is often needed, but it depends on the code inside the console app. most do assume site collection admin rights though). you may get more mileage from looking at the application instructions (or if it is your own code just go for site collection admin)
Running a console app is a bit of a major though, so you may have better luck if you give the sysadmins the application to run and instructions... though I doubt you are running this on the prod box.
your user propably don't have permissions to access those lists or webs. You can run your code with elevated privilegies, but it can sometimes give you unexpected results.
Example of how elevated privilegies is used can be found here
Or you can set user unser who's account console app runs as site collection administrator.
Your code updated to run with elevated privilegies can look like this:
private static void DisplayAllLists(string site, string webToOpen)
{
try
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using ( SPSite siteCollection = new SPSite(site) )
{
try
{
using (SPWeb web = siteCollection.OpenWeb(webToOpen))
{
SPListCollection lists = web.Lists;
foreach (SPList list in lists)
{
Console.WriteLine(string.Format("List Title: {0}", list.Title));
}
}
}
}
finally
{
siteCollection.RootWeb.Dispose();
Console.ReadLine();
}
}
}
catch (Exception ex)
{
Console.WriteLine("Exception: "+ex.Message);
}
}
Note: This code was written from top of my head, so maybe something is missing..you will have to try it