What exactly is the web.Site.SystemAccount? - sharepoint

I'm quite sure, the answer must be somewhere but I googled my ass off:
I know that "elevated privilegues" runs with the appPool-Account. But what account is used for
web.Site.SystemAccount in SharePoint? Is it the farm admin?

MSDN documentation says that
SPSite.SystemAccount Gets the system account of the site collection
In addition, Reflector says that SystemAccount user ID is 1073741823 that corresponds to SHAREPOINT\system:
<m:properties>
<d:Id m:type="Edm.Int32">1073741823</d:Id>
<d:IsHiddenInUI m:type="Edm.Boolean">false</d:IsHiddenInUI>
<d:LoginName>SHAREPOINT\system</d:LoginName>
<d:Title>System Account</d:Title>
<d:PrincipalType m:type="Edm.Int32">1</d:PrincipalType>
<d:Email></d:Email>
<d:IsShareByEmailGuestUser m:type="Edm.Boolean">false</d:IsShareByEmailGuestUser>
<d:IsSiteAdmin m:type="Edm.Boolean">false</d:IsSiteAdmin>
<d:UserId m:type="SP.UserIdInfo">
<d:NameId>S-1-0-0</d:NameId>
<d:NameIdIssuer>urn:office:idp:activedirectory</d:NameIdIssuer>
</d:UserId>
</m:properties>

this account is the primary administrator of Site collection which you can configure from Central admin.
I am afraid the RUNwithElevatedPrivileges is run by System account not app pool account. Because normally we use a separate app pool account than site collection administrator. If you debug the code and get SPContext with in RWEP... you will get System account syntax.
below article is explaining .
[http://www.mssharepointtips.com/tip.asp?id=1022][1]

Related

Access RateCard API from Government Cloud, Region usgovvirgia

In trying to access RateCard info in the Government Cloud, Region usgovvirgia, and working from example on github: https://github.com/Azure-Samples/billing-dotnet-usage-api.
GitHub Sample throws Unhandled exception: AADSTS65005 (see links below)
This error is mentioned there but in reworking the referenced sections of the procedure I haven't found a way to correct this and strongly suspect the problem is due to differences in US Gov Cloud. (See image below for App settings in the Portal).
My RegisteredApp:
RateCardHM, appId/clientID: XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a ->
Required Permissions-> (Delegated -- NoApplicationPermissionsAvailable)
Access Azure Service Management as organization users (preview)
RequiresAdmin: No {"AADSTS65005: Invalid resource. The client has
requested access to a resource which is not listed in the requested
permissions in the client's application registration. Client app ID:
XXXXXXXX-XXXX-47a3-811e-ca0b0b74118a. Resource value from request:
https://management.usgovcloudapi.net/. Resource app ID:
40a69793-8fe6-4db1-9591-dbc5c57b17d8. List of valid resources from app
registration: 797f4846-ba00-4fd7-ba43-dac1f8f63013,
00000002-0000-0000-c000-000000000000. Trace ID:
6c1f3716-12ca-489e-b183-99cb6f730300 Correlation ID:
57dbf637-8e01-42f2-873c-4723f1814254 Timestamp: 2018-03-14 18:43:33Z"}
Since there probably isn't a "2-letter ISO code" for usgovvirginia, what should be used?
https://msdn.microsoft.com/en-us/library/azure/mt219004.aspx Indicates:
•Set {RegionInfo} to the 2 letter ISO code where the offer was purchased.
Reconcile with usgovvirginia Region.
<appSettings>
<add key="ADALServiceURL" value="https://login.microsoftonline.us"/>
<add key="ADALRedirectURL" value="http://localhost"/>
<add key="ARMBillingServiceURL" value="https://management.usgovcloudapi.net"/>
<add key="TenantDomain" value="XXXXX.onmicrosoft.com"/>
<add key="SubscriptionID" value="XXXXXXXX-1293-4060-a2ed-0da3db612bcc"/>
<add key="ClientId" value="XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a"/>
<add key="RegionInfo" value="usgovvirginia"/> <!-- WHAT to use here? -->
</appSettings>
I would prefer to get access with PowerShell but getting the C# sample app to work would likely be sufficient and certainly a good start.
UPDATE FOLLOWS (more info):
After logging in with PowerShell AzureRM (as myself) "Locations" for Microsoft.Commerce and RateCard API are empty:
(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce)
# Outputs with LOCATION 'empty':
ProviderNamespace : Microsoft.Commerce
RegistrationState : Registered
ResourceTypes : {UsageAggregates, RateCard, operations}
Locations : {}
(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce).ResourceTypes | ? ResourceTypeName -eq RateCard
# Outputs with LOCATION 'empty' also:
ResourceTypeName : RateCard
Locations : {}
ApiVersions : {2016-08-31-preview, 2015-06-01-preview, 2015-05-15}
Possibly this means US Gov Cloud doesn't offer these APIs in any region?
This following image shows the alert where the App has been added as a Reader:
First, you need to make sure Billing API is actually supported on Government Subscription. I cannot seem to find an official reference over the Internet about the supportability. It'd be much better to ask about that here https://azure.microsoft.com/en-us/global-infrastructure/government/contact/
If it is supported, normally you need to add your client app you registered to the Government subscription.
Under Access Control (IAM) blade, click Add. Select Reader under Role (in case you just need to get information without any change). Under Select, you can look up your client app name (the one has client ID associated), you can also copy the client ID and paste to this field.
With out appropriate permission, your registered client app can't read to your Government resource to retrieve billing info over REST API.
P/S: There is also a role named Billing Reader if you would like to explicitly control access.
Microsoft Support has now attested that accessing the RateCard API is not available in an Enterprise Account (nor in a CSP account).
https://learn.microsoft.com/en-us/azure/billing/billing-usage-rate-card-overview#azure-resource-ratecard-api-preview
Azure Resource RateCard API (Preview)
Use the Azure Resource RateCard API to get the list of available
Azure resources and estimated pricing information for each. The API
includes: Azure Role-based Access Control - Configure your access
policies on the Azure portal or through Azure PowerShell cmdlets to
specify which users or applications can get access to the RateCard
data. Callers must use standard Azure Active Directory tokens for
authentication. Add the caller to either the Reader, Owner, or
Contributor role to get access to the usage data for a particular
Azure subscription.
Support for Pay-as-you-go, MSDN, Monetary commitment, and Monetary
credit offers (EA and CSP not supported) - This API provides Azure
offer-level rate information. The caller of this API must pass in the
offer information to get resource details and rates. We're currently
unable to provide EA rates because EA offers have customized rates
per enrollment.
Thanks to everyone who tried to help.

Azure B2C with Salesforce, missing "objectId"

I'm testing Azure B2C with Salesforce as IdP, and the login process works fine from Salesforce perspective (Salesforce Identity Provider Event Log show "success" for sing-on attempts), but redirection back to simple testing web application ends up to error page such as
/redirect.html#error=server_error&error_description=AADB2C90037%3a+An+error+occurred+while+processing+the+request.+Please+contact+administrator+of+the+site+you+are+trying+to+access.%0d%0aCorrelation+ID%3a+f0292157-ffad-472d-8119-3cd05518654c%0d%0aTimestamp%3a+2018-02-13+15%3a01%3a54Z%0d%0a
Looking at Application Insights, I see error:
A claim could not be found for lookup claim with id "objectId" defined in
technical profile with id "AAD-UserReadUsingObjectId" policy
"B2C_1A_SignUpOrSignInUsingSalesforce" of tenant "xyz.onmicrosoft.com".
I've followed the tutorial here and double checked lots of things, but not sure it this issue is due to invalid UserJourney or ClaimsProvider/TechnicalProfile. Or is it just that I'm missing respective user in Azure B2C that I have in Salesforce?
I don't at least see 'objectId' incoming in saml:Assertion:
<saml:Assertion xmlns:samlp=\""urn:oasis:names:tc:SAML:2.0:protocol\"" xmlns:xsi=\""http://www.w3.org/2001/XMLSchema-instance\"" ID=\""_b0b0193ce1e861e13ec39f9a991cb3501518533690616\"" Version=\""2.0\"" IssueInstant=\""2018-02-13T14:54:50.616Z\"" xmlns:saml=\""urn:oasis:names:tc:SAML:2.0:assertion\""><saml:Issuer Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"">https://XYZ.my.salesforce.com</saml:Issuer><saml:Subject><saml:NameID Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"">jussi.palo#XYZ.com</saml:NameID><saml:SubjectConfirmation Method=\""urn:oasis:names:tc:SAML:2.0:cm:bearer\""><saml:SubjectConfirmationData NotOnOrAfter=\""2018-02-13T14:59:50.616Z\"" Recipient=\""https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer\"" InResponseTo=\""_50a752dd-244c-4447-9ac9-6338e8bb692e\"" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\""2018-02-13T14:54:20.616Z\"" NotOnOrAfter=\""2018-02-13T14:59:50.616Z\""><saml:AudienceRestriction><saml:Audience>https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\""2018-02-13T14:54:50.616Z\""><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name=\""userId\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">0050N0000060rpy</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""username\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""email\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""is_portal_user\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">false</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
For some reason, the User Journey Player isn't showing anything, so I'm thus far been stuck with Application Insights.
Looks like it was confusion on what Starter Pack policy files should be used with the Salesforce instructions. Turned out using "SocialAndLocalAccounts" policy files as a basis did the trick, so my UserJourney was not right at first.
I will leave the question here for anyone else running into similar error messages.

Win8 app can't login to SharePoint Office365

I am trying to run this MSDN sample, and it works against a Office 365 site.
However, when I run it against the SharePoint 2013 cloud implementation in my office, I get an authentication failed error, which is actually an error with the message:
<S:Body xmlns:S="http://www.w3.org/2003/05/soap-envelope">
- <S:Fault>
- <S:Code>
<S:Value>S:Sender</S:Value>
- <S:Subcode>
<S:Value>wst:FailedAuthentication</S:Value>
</S:Subcode>
</S:Code>
- <S:Reason>
<S:Text xml:lang="en-US">Authentication Failure</S:Text>
</S:Reason>
- <S:Detail>
- <psf:error xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
<psf:value>0x80048821</psf:value>
- <psf:internalerror>
<psf:code>0x80047860</psf:code>
<psf:text>Direct login to WLID is not allowed for this federated namespace</psf:text>
</psf:internalerror>
</psf:error>
</S:Detail>
</S:Fault>
</S:Body>
Any idea if there is some setting done by the IT department blocking me, or is there some change I need to make in my app?
Thank you!
This is an old implementation, make sure your re-connect the app to o365 and refresh all tokens to get the latest keys in the configuration file in the win8 app. also, make sure to register the app in o365 AD tenant.
Hope this helps.

SPFarm.Local.Solutions.Add - Exception - "Access Denied"

Here is my code snippet:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
SPSolution newSolution = SPFarm.Local.Solutions.Add(#fullPath);
});
The stacktrace and innerexception give no further clues. The Exception.Source says Microsoft.SharePoint.
SPFarm.Local.CurrentUserIsAdministrator() returns TRUE for the userid.
The userid is in the Farm Administrators group.
Any ideas?
EDIT
I have changed my code to the following and still get the Access Denied error:
private void AddSolution()
{
SPSolution newSolution = SPFarm.Local.Solutions.Add(#fullPath);
}
SPSecurity.CodeToRunElevated elevatedAddSolution = new SPSecurity.CodeToRunElevated(AddSolution);
SPSecurity.RunWithElevatedPrivileges(elevatedAddSolution);
Your main problem might just be that you are not DBO of a sharepoint database (_Config if I'm not wrong). Adding a solution to a farm is something that require more rights than just access to the farm.
Be sure that the user running this is Farm Administrator and DBO of the proper database.
If you still have problem... try running
stsadm -o addsolution -filename
"myWsp.wsp"
If you have the proper right, it will give you the proper error.
Have you tried declaring the delegate outside of the call to RunWithElevatedPriviliges?
Edit: Ignore below as you appear to have checked permissions.
RunWithElevatedPriviliges will use the identity of the application pool which SP is running under. Have you ensured this account has sufficient privileges in your environment?
I do believe that the issue you are having is due to the fact that you are using the static member to access the SPFarm object. I think that it is similar to running the SPcontext static class which will still run under the security context of the logged on user and not under the elevated privledges context (which is the local application pool identity).
Try this instead inside your delegate:
SPFarm spFarm = SPWebService.AdministrationService.Farm;
SPSolution newSolution = spFarm.Solutions.Add(#fullPath);
EDIT:
Since the above didn't help then your issue probably has to do with database permissions to the config database. The RunWithElevatedPriviliges will run under the application pool's identity that the code is running under. Adding a solution to your farm affects the configuration database so your application pool identity will need access to the config database. As a test try adding the app pool identity to the config db and give it dbo permissions. If that fixes the issue then you will need to find the minimum amount of permissions that each of your app pool accounts will need to add solutions (do not leave as dbo)

console application - object model - database persmission

I'm trying to run a console application that uses the SharePoint Object Model.
I'm getting the error Cannot open database "dbname" requested by the login. The login failed. Login failed for user 'DOMAIN\userid'.
Some place I have read that the user must have permission to the Content DB.
I can not find an article that explains what permissions to setup. I need this as ammunition to go to my Sys Admin guy to get the permission setup.
Where is there an article that explains that? I have searched google but with no luck.
RunWithElevatedPrivileges doesn't help because it just changes the thread user to the process identity - in a console application, this has no effect because they're the same. The "elevation" in an impersonated web context works because the process identity is the application pool account, which has db_owner on its content database.
If I ask that the account I'm using be given Full Control, under the Policies for Web Application, should that work?
Not according to Ishai Sagi: Object model code and stsadm fail with "Access Denied". In short, it seems db_owner permissions on the content database are required for a user to run object model code (including STSADM) without a web context.
Are you running the console application on the server itself? I assume so.
In this case it is likely to be a permissions issue with the account you are using (RDP?) on the server. The database error side of things can be misleading as you will need to be permissioned within SharePoint itself, which will then give permissions to the database.
I would get your sys admins to create a service account for you to use that can be granted the correct rights. (site collection administrator is often needed, but it depends on the code inside the console app. most do assume site collection admin rights though). you may get more mileage from looking at the application instructions (or if it is your own code just go for site collection admin)
Running a console app is a bit of a major though, so you may have better luck if you give the sysadmins the application to run and instructions... though I doubt you are running this on the prod box.
your user propably don't have permissions to access those lists or webs. You can run your code with elevated privilegies, but it can sometimes give you unexpected results.
Example of how elevated privilegies is used can be found here
Or you can set user unser who's account console app runs as site collection administrator.
Your code updated to run with elevated privilegies can look like this:
private static void DisplayAllLists(string site, string webToOpen)
{
try
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using ( SPSite siteCollection = new SPSite(site) )
{
try
{
using (SPWeb web = siteCollection.OpenWeb(webToOpen))
{
SPListCollection lists = web.Lists;
foreach (SPList list in lists)
{
Console.WriteLine(string.Format("List Title: {0}", list.Title));
}
}
}
}
finally
{
siteCollection.RootWeb.Dispose();
Console.ReadLine();
}
}
}
catch (Exception ex)
{
Console.WriteLine("Exception: "+ex.Message);
}
}
Note: This code was written from top of my head, so maybe something is missing..you will have to try it

Resources