We have setup and are hosting a centrally deployed Add-in for Excel developed with the OfficeJS API. We have had success in building, hosting, and testing the Add-in, but are now seeing a very strange issue that we are having trouble debugging. For context, the Add-in is developed with React, the OfficeJS API, and is intended to be loaded within Excel and primarily interacted with via the taskpane window.
Now that we have a working Add-in, we have deployed the Add-in to our first client using Centralized Deployment (https://learn.microsoft.com/en-us/office/dev/add-ins/publish/centralized-deployment) for the Client's associated Office 365 account. When deploying, we originally only deployed to a certain subset of users while finalizing testing, but since we have updated the "Assign Users" setting to "Everyone". We are now running into a strange issue where some of our users in the account are able to access the add-in, and some are not. It should also be noted that all of the users who originally had access still have access; it seems only a subset of the newly authorized users are unable to access the add-in.
So far, we have tried a number of things to re-create and/or resolve the issue, but have had no success:
Setting up new accounts - when setting up a new account, the new account seems to have access to the Add-in as expected. We are unable to re-create the bad state some users are experiencing.
Clearing Excel Cache - we have had users clear their Excel application and web cache, but nether has resulted in changes to access.
Logging in/out - we have worked with users to sign-out, clear cache, and sign-in again but this does not update any access settings for the Add-in.
Attempting to Manually "Insert" the Add-in - when opening the "Insert" tab and selecting "My Add-ins" menu from Excel, the user does not have the Add-in listed under the "Admin Managed" tab. If the user attempts to "Refresh" it still does not change anything.
We are starting to meet with some of the users who are experiencing the issue to further investigate, so any advice or further debugging tips would be greatly appreciated!
I am investigating how to convert an existing outlook add-in to authenticate to one of our APIs via Azure Active Directory. The way the add-in works, it would severely limit the user experience if they were constantly prompted with a dialog. If I were to base my solution off this sample project, how often could we expect the user to have to interact with a dialog or login?
Our environment is Sharepoint 2010, with a web application created (and site collection on top), using claims based authentication. The first site is using port 881. It is using integrated windows authentication. Another web application is created, extending the first application, using port 882. This site is using Forms Based Authentication, the membership provider is System.Web.Security.ActiveDirectoryMembershipProvider, named admembers. I have turned off Client Integration on both sites.
When I login to the 881 site, on my corporate network, logged into the machine with the same domain account that sharepoint uses, I can open an Office file saved in a document library, and it subsequently opens in the appropriate Office application, without asking me login again. But, If I login to Sharepoint from a computer that is not on our network, or login to the computer with an account that is not a domain account, I get prompted again to login when openning an Office document. If I choose the option to save, it does not prompt, but if I choose open in the dialog window, I am forced to enter my domain credentials again.
When I login to the 882 site, which uses FBA, I experience the same problem. If I open an Office document, the appropriate Office application opens, and asks me for my credentials, by showing me a dialog window with the sign in page loaded. If I choose to save the file, then I am not prompted to login, and the file saves to a local folder.
I can't expect my users that are off site to login again everytime they open an Office document, like Work, Excel, Powerpoint, etc. I have tried numerous fixes, including disabling client integration, changing the browser handling mode (strict/permissive), changing internet explorer settings (for integrated windows authentication), changing the integrated windows authentication site to use basic authentication, even hacking the page using jquery to call the sharepoint javascript function that execute the "download a copy" function. None of them work: when choosing to "open" the Office document in the browser, the user has to login again, or just close the dialog window without logging in (as long as client integration for the zone is turned off).
I'm looking to get this accomplished using windows authentication or forms based authentication.
Help!
I found this answer in a similar post which seemed to fix the problem for me when I tested it. The gist of it is you need to deny the HTTP Verbs OPTIONS and PROPFIND in IIS. Having said this, I'm not an IIS guru and am not exactly sure what this means or what else it might affect. Can anyone else shed some light on this?
A bit of background, I'm using SharePoint 2010, on an FBA site.
You have the standard three use cases:
Employee intranet access
Employee remote access
Partner remote access
Employee intranet access
This normally always works out of the box, and it looks like it is working for you.
Employee remote access
The only way that i have seen this work (and i have tried many ways) is to get TMG or ISA. Basically ISA is setup in FORMS auth with SSL, it captures the auth details, and then passes them to the sharepoint server. (and other servers if you have them eg OWA for sharepoint mail web parts)
If you select the "Is private computer" option on the ISA login screen, then Office documents share the auth cookie and don't prompt for another login. I had so many problems, but as soon as i installed TMG, they all went away. I would not recommend any other approach now.
The added bonus of this method, is that remote employees are treated as the same account as the intranet user. The way you are setup with a seperate web application, means that they will be different accounts, so things like [checkout/modifiedby/createdby/personalisation] will be different accounts (though they look the same)
Partner remote access
This may never ever work on some clients (especially Vista), as IE needs to share the authentication with Office
If this is sharepoint 2010, try this.
Get-SPSecurityTokenServiceConfig
Look at your UseSessionCookies value in the output. If True, apply the powershell below.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $false
$sts.Update()
If UseSessionCookies is true, you will have to login to any docs u want to download...
Scenario
I have an InfoPath form. the user fills it in the details, and then a manager checks it over for accuracy. The manager then signs off the form to say that they are happy with the details and then the form gets submitted.
This process does not happen every time and its purpose is to validate that the user is performing the job to an adequate standard.
It is this sign off process that I need help on.
I need an easy way to authenticate the Manager. and associate the authentication with the form.
Environment
IIS6, Sharepoint 2007, SQL Server 2005, Infopath 2007, Windows XP.
I have considered using digital certificates but it seems to be overly complex for what I am trying to achieve, however happy to be proven wrong.
The easiest/simplest way would be to activate approval on the forms library and give the manager(s) the Approve permission. This way users can submit forms that remain in a draft state until a manager approves them. Draft forms will be visible only to their author and the managers. The manager that approves a form will appear in the
If you need something more than this simple 2-step process you can activate the out-of-the-box approval workflow on the forms library. With this you can define multiple approval steps to the process, add task notifications to managers etc.
As far as authentication is concerned, SharePoint checks the roles/permissions assigned to users and forms internally so you don't need to do anything more.
Certificates are serious overkill for simple approval. Certificates cryptographically sign the content of a form and guarantee that its content was created by the owner of the certificate. Sharepoint already keeps track of who created and modified a document and can also keep track of document versions, so you don't need certificates unless you have some strange legal requirements.
We have a SharePoint application where we want the user to be able to modify the web.config by activating a feature. The application is extended, so we have an AD based web application and another that uses Forms Based authentication (FBA), with the FBA application being the "main" user application.
We use the SPWebConfigModification class (http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.spwebconfigmodification.aspx) to write to the web.config for settings we need for the activated feature.
This works great on the AD based side of things. However, when we try and run this on the FBA based web app, we get an error because the site collection administrator for the FBA site, does not have any access to modify the web.config on the server. Given that they are a FBA user, we can not give them rights on the server either.
Has anyone run into this? Does anyone have any work arounds. I assume I could try and have the application to update the web.conifg run via the command line, but I would really like it be done by the user when they activate the feature. I could also try and loosen security rights on the web.config, but that is a bad path to start down.
Thanks!
John
An alternative would be to write a component which does it.
This could be trigged by activating a feature, or updating a webpart.
This would mean you don't need to loosen security, or do it via the command line.