FBA on Sharepoint 2010 - sharepoint

I have implemented FBA (Claim based Authentication) on Sharepoint 2010. Following are implemented.
Custom Login page
Custom Sign-in Page
Password recovery page (ForgetPassword.aspx)
In ForgetPassword page user is asked to enter their email address, they used while sign-in and in code behind I am using this email to get the UserName using the Membership.GetUserNameByEmail function and then passing this username to Membership.GetUser function to get the user credential to be send through mail.
But now the code throws as exception saying "The function is not implemented". I am wondering; I am not using any custom database for which I had to create a Custom Membership Provider. Then why I am getting this error. Let me know if anyone has any clue or faced similar problem. Thanks.
Regards,
Paddy

When FBA is configured for SharePoint 2010, two membership providers are defined in the web.config file - Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider (usually named i) and System.Web.Security.SqlMembershipProvider (named FBAMembership in this case). Default membership provider must be set to the former (i.e. SharePoint claims one) in order for FBA authentication to work properly.
When the line containing Membership.GetUserNameByEmail(...) is executed, the default membership provider is used and as a result SPClaimsAuthMembershipProvider.GetUserNameByEmail is called. MSDN says that this method is reserved for internal use and is not intended to be used directly from your code and according to the comment in the Community Content section it throws NotImplementedException.
You need to retrieve an instance of the SqlMembershipProvider provider from the Membership.Providers collection and then call the GetUserNameByEmail method using this instance.
I use prefixes when configuring providers in the web.config file and the retrieve them like this:
string applicationNamePrefix = "fbaProvider_";
MembershipProvider fbaProvider;
foreach (MembershipProvider provider in Membership.Providers)
{
if (provider.ApplicationName.StartsWith(applicationNamePrefix, StringComparison.InvariantCultureIgnoreCase))
{
fbaProvider = provider;
}
}
throw new InvalidOperationException("Appropriate provider was not found.");

Related

Azure Active Directory Authentication and SharePoint CSOM

I have a web application, which connects to SharePoint (customer tenant) to create sites & various List.
To access the customers Sharepoint environment, I used OpenIdConnectAuthenticationOptions which prompts user for AAD creditinals and then the various options for which user wants to provide access ( This App and various API access needed is configured in AAD - when allowing access to "O365 SharePoint Online"
Using OpenIdConnectAutheticationOption, on AuthorizationCode Received the code is used to get "AccessToken".
Using this "AccessToken" to get clientContext gives error:
"401 - Not authorized"
How one can get the required token which allows CSOM operation?
The code used from -
Active Directory Dot net Webapp Multitenant
In the controller OnboardingController, Processcode function, after getting AcquireTokenByAuthorizationCodeAsync following code is used -
string siteUrl = "https://svtestsite.sharepoint.com/sites/powerapps";
ClientContext ctx = new ClientContext(siteUrl);
ctx.ExecutingWebRequest +=
delegate(object oSender, WebRequestEventArgs webRequestEventArgs)
{
webRequestEventArgs.WebRequestExecutor.RequestHeaders["Authorization"] =
"Bearer " + result.AccessToken; // accessToken;
};
ctx.Load(ctx.Web, p => p.Title);
ctx.ExecuteQuery();
Console.WriteLine(siteUrl);
Console.WriteLine(ctx.Web.Title);
The code snippet that you've shared, which sets bearer token for request Authorization header looks fine to me.
ctx.ExecutingWebRequest +=
delegate(object oSender, WebRequestEventArgs webRequestEventArgs)
{
webRequestEventArgs.WebRequestExecutor.RequestHeaders["Authorization"] =
"Bearer " + result.AccessToken; // accessToken;
};
So your issue could be with either the token itself or some permissions missing for app/users. Here are a few things that you should check:
Required permissions for your App Registered in Azure AD. Make sure the app has permissions for "Office 365 SharePoint Online". Which exact permissions depends on your requirements/use cases, but at least 1 should be there. Also, you should go through with the consent flow either using "Grant Permissions" button or as part of Onboarding flow for the tenant.
Check which "Resource" has the token been acquired for.
At least the sample code link you mention in your question (Active Directory Dot net Webapp Multitenant) mentions the resource as "https://graph.windows.net".
Make sure you have changed that to your SharePoint site collection URL.. something like "https://yoursite.sharepoint.com/".
Do try with including/excluding the / at the end of this URL. I've seen issues just because of that as well, although not sure if yours is related.
If above points don't work, it would be worthwhile to examine the access token you are sending to SharePoint in a tool like https://jwt.io or https://jwt.ms Especially, look for:
"aud" claim, which tells about the intended audience for which this token was issued. It should be your SharePoint URL. If it's not that can be causing the issue.
"tid" claim, to see that token is from correct Azure AD tenant. It will be GUID.
and other claims in token, to see if anything suspicious pops out.
Obvious one, but if you're using delegated permissions, then check that the user has appropriate permissions in SharePoint site collection.

Can I deploy a SharePoint Add-In with User Profiles (Social) | Read to the SharePoint AppStore?

I'd like to be able to programmatically retrieve a user's name and manager using code similar to the following:
using (var clientContext = TokenHelper.GetClientContextWithAccessToken(hostWeb.ToString(), accessToken))
{
var peopleManager = new PeopleManager(clientContext);
var personProperties = peopleManager.GetPropertiesFor(loginName);
clientContext.Load(personProperties);
clientContext.ExecuteQuery();
property = personProperties.UserProfileProperties[requestedProperty].ToString();
return property;
}
On an app without the User Profiles (Social) permission, I get an Access Denied on the ExecuteQuery(). I assume you need the User Profiles (Social) | Read permission on the app to be able to do this. I attempted to side-load an app with this permission on a dev site and was told I needed to be a Tenant Administrator which now has me doubting whether this permission is valid for a store-based app.
Is it possible to access user data such as PreferredName and Manager using the PeopleManager in an app on the SharePoint AppStore? If not, is it possible to access this data in a non-interactive fashion using Microsoft Graph?
You can get this data using the Microsoft Graph, with simple queries like https://graph.microsoft.com/v1.0/me to get the current user profile and https://graph.microsoft.com/v1.0/me/manager to get the manager. You can find a code sample of the Microsoft Graph .Net SDK here: https://github.com/microsoftgraph/aspnet-snippets-sample

High Trust S2S Provider Hosted App with "App + User" Policy

I am relatively new to sharepoint app development.
Trying to create a on premises, High Trust provider hosted app with App + User Policy. I have followed below document to create a demo.
https://msdn.microsoft.com/library/office/fp179901(v=office.15)
http://blogs.msdn.com/b/russmax/archive/2014/06/23/part-1-intro-to-provider-hosted-apps-setup-the-infrastructure.aspx
I am facing few issue and I have some question to clarify, if anybody can help.
1) When I inspect my request in dev tools, it give me below form data.
SPAppToken:
SPSiteUrl:
SPSiteTitle:Home
SPSiteLogoUrl:
SPSiteLanguage:en-US
SPSiteCulture:en-US
SPRedirectMessage:EndpointAuthorityMatches
SPErrorCorrelationId:f069e89c-a0cd-20ce-a1c0-7db95db0334b
now when i inspect log with above corelation id, i am finding below errors.
-- Error when get token for app i:0i.t|ms.sp.ext|ab8ff461-bc75-4516-b475-b666ac47eec0#802f23e1-6e11-45d1-909c-07a7b0ab0ce2,
exception: Microsoft.SharePoint.SPException: The Azure Access Control
service is unavailable.
-- App token requested from appredirect.aspx for site: 92bfe5c4-7255-4b09-a89a-07e0e2b03622 but there was an error in
generating it. This may be a case when we do not need a token or when
the app principal was not properly set up.
-- Getting Error Message for Exception Microsoft.SharePoint.SPException: The Azure Access Control service is
unavailable.
a) I belive in high-trust app it shouldn't look for Azure ACS.
Is this error because of some incorrect configuration?
b) SPAppToken is null here. Is it null always in case of hig trust app?
2) Say I am logged into sharepoint with User A and trying to launch sharepoint app.
Within app code I want to get identity of logged in user(which is A). From below code i found that Request.LogonUserIdentity gives me identity of user A. But how can we sure that request is came from sharepoint only. I can copy the same app URL and paste in browser window and login with window credential and get the same result. So question is how can I verify if its legitimate request came from sharepoint only and no one is faking request.
ALos, when I inspect request in dev tools, its passing Authorization key in request header. What is use of this?
using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity)) { clientContext.Load(clientContext.Web, web => web.Title); clientContext.ExecuteQuery(); Response.Write(clientContext.Web.Title); }
3) Also what happens if my app doesnt support windows authentication and only support FBA, is there any way to get user identity in this case?
Any help would be much appreciated.
Thanks
For issue #1: It looks to me that the step # 9 (Configure authentication settings) in this section (from the first MSDN article you have referred) was missed, i.e., 'ACS Control service' was selected instead of 'Use a Certificate' option.
For issue #2: There are helper methods in TokenHelper.cs to validate the AccessToken from the HttpRequest, which identifies the validity of the request.

Azure ACS, WIF 3.5, Asp.Net 3.5 Custom Membership Provider and IsAuthenticated

Following the steps in this guide Using Azure ACS I have a working Azure ACS service configured & authenticating via Facebook, redirecting back to a website running on my development server.
On authentication success Azure ACS redirects back to my local development website and the IsAuthenticated flag is true, however I want to set the IsAuthenticated flag to true only if the email from the claim also exists in my local database, via a check/call to a custom MembershipProvider. If the email from the claim does not exist I want to redirect the client to a register page. Once registered and authenticated I would like to set the IsAuthenticated flag to true.
Currently once authenticated with Facebook and AzureACS, a user can request a secure page such as ViewAccountBalance.aspx, even though the account does not exist since out of the box IsAuthenticated flag to true. Interested to hear what others have done and what the best practice is.
You'll need to make a clear difference between authentication and authorization. Since the user logged in through Facebook it means he's authenticated (you know who he is and where he comes from).
Now, if you want to restrict parts of the application based on a specific condition you're actually talking about authorization. You might consider combining roles with a simple HttpModule. Example: your HttpModule could verify which page the user is browsing. If the user accesses a page that requires an active profile, you could use the following code:
public class RequiresProfileHttpModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.AuthorizeRequest += new EventHandler(OnAuthorize);
}
private void OnAuthorize(object sender, EventArgs e)
{
HttpApplication app = sender as HttpApplication;
if (app.Request.Url.ToString().Contains("bla") && !app.Context.User.IsInRole("UsersWithProfile"))
app.Response.Redirect("http://myapp/register.aspx");
}
}
The only thing you'll need to take care of is to update the principal to make sure it has the role UsersWithProfile if the user filled in his email address.
This is just one of many possible solutions. If you're using ASP.NET MVC you could achieve the same result with global ActionFilters. Or, you could also try to work with the IClaimsPrincipal (add a claim if the user has a profile).
Sandrino is correct. You can use role based authorization (or more generally, claim based authorization). By default, ACS simply returns the claims issued by the identity providers to your relying party. For Facebook, it will return an email claim. However, you can configure ACS to create additional rules. For example, you can map particular users to a role whose value is administrator. Then ACS will also return this role claim to your relying party. Then you can use Sandrino’s suggestion to use role based authorization. You can also refer to http://msdn.microsoft.com/en-us/library/windowsazure/gg185915.aspx for more information.

Sharepoint UserProfileService

I've got a sharepoint site and a custom aspx portal, both under Windows Authentication.
With the same machine, it happens that my sharepoint site returning me my current login, while my custom aspx returning me my domain admin account instead.
Is there anyway that I could ensure both logins are the same? Otherwise, is there anyway to consume SPUserProfileService from a custom aspx portal?
Mainly, I need to have the custom aspx portal to get sharepoint logon id. Nevertheless, i could still trigger AccessDenied.aspx in sharepoint to prompt for logins.
When you say "Custom ASPX Portal", is it still hosted on the SharePoint Site?
In that case, how do you get the user? You can use SPContext.Current.Web.CurrentUser to get the user.
It seems that you are connecting from your custom aspx to SharePoint using your Domain Admin Account.
Could you please describe more about your custom aspx portal and the way you are reading the username?
However, you can check my article (Even though it is for FBA users, you may find the code snippet useful):
Possible ways to get logged in User Name & Handling Changes in FBA Users' Names if Membership Provider Name Changed
public string GetFlatUserName()
{
//First, be sure that the user is not anonymous user:
if (SPContext.Current == null || SPContext.Current.Web.CurrentUser == null)
return "Anonymous";
//Second, parse it:
else
{
string flatUserName = this.Page.User.Identity.Name;
if (flatUserName.Contains("\\"))
{
flatUserName = flatUserName.Substring(flatUserName.IndexOf("\\") + 1);
}
else if (flatUserName.Contains("|"))
{
flatUserName = flatUserName.Substring(flatUserName.IndexOf("|") + 1);
}
return flatUserName;
}
}

Resources