I'm trying to bring external content into our SharePoint environment. We are running SP 2010. The data I want to bring in exists in Sql Server. What I'm struggling to do is map the logged in SharePoint user to an underlying sql user.
In SharePoint I have created a new Target Application in the Secure Store Serivce:
Target Application ID: TestApp
Target Application Type: Group
I have specified two fields:
Name :: Type
User Name :: User Name
Password :: Password
--these are not the Windows User Name and Windows Password types just the basic types
Target Application Administrators and Members are both set as myself (AD User).
In SharePoint Designer I've created a new External Content Type. I've added a connection of (Type -> Sql Server). I've set the database server name to the server name that is not on the same box as SharePoint and I've set the database name. I've selected the Connect with Impersonated Custom Identity option and set the Secure Store Application Id to TestApp. When I click OK I get prompted for credentials so I enter the Sql Server user credentials and the connection succeeds. I expand out the tables, right click the table I want accessible, and click Create All Operations. I go through the wizard and enter one limit filter.
Next I right click MyTable in the External Content Types windows, select External List, and give it a name. Next I go into Central Admin and set the credentials of TestApp.
Now when I log into SharePoint I can see my external list in the left hand TOC. I click on the list and I get the error Access Denied by Business Data Connectivity with a correlation code. I've opened up the logs to see what is being returned which has some interesting logs but I'm not sure exactly how to remedy the problem:
Log:
Access Denied for User '0#.w|domain\myuser, which may be an impersonation by 'domain\myuser'. Securable MethodInstance with Name 'Read List' has ACL that contains
Another Log:
Error while executing web part: Microsoft.SharePoint.SPException: Access denied by Business Data Connectivity. ---> Access Denied for User '0#.w|domain\myuser', which may be an impersonation by 'domain\myuser'. Securable MethodInstance with Name 'Read List' denied access.
I know if I'm using pass through creds we will need kerbors to handle the double hop but didn't think I would need kerbos with cred mapping to a sql server user.
Any help would be greatly appreciated!!!!
I was playing around with BCS and ran into what I think is a similar problem. This helped to solved the problem. See if this helps
http://www.zimmergren.net/archive/2010/05/08/access-denied-by-business-data-connectivity-solution.aspx
This happens because you have not set access on the BCS object that you created. Go into Central Administration and select your External Content Type or other object and select Set Permissions from the dropdown. Your authentication is working or you would not be able to save the object you created to the metadata store. You now need to tell the metadata store who has access to the objects you created in BCS.
Related
What I need:
I need to read an excel table from Microsoft Teams Channel with Microsoft Graph API.
That is possible with the following URI:
https://graph.microsoft.com/v1.0/drives/someId/items/someId/workbook/tables/tableName/rows
The problem is, that this endpoint needs a valid token.
There are 2 opportunities:
Create Azure AD Application, that have access to the whole OneDrive.
Create Azure AD Application to retrieve a token for a service user, that have access to needed files.
The problem of the first one is, that I don't want to give it access to the whole OneDrive. I want it to have an access just to one OneDrive folder.
Maybe there is some possibility to limit the access just to one OneDrive folder?
I've tried the second alternative with com.microsoft.aad.msal4j library:
String APP_ID = "20106bdc-eec0-493d-b32f-526583aa95a6";
String AUTHORITY = "https://login.microsoftonline.com/112121a0-cc1f-12af-1213-faaa12ef1b11/v2.0";
PublicClientApplication pca = PublicClientApplication.builder(
APP_ID).
authority(AUTHORITY).build();
String scopes = "User.Read";
UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(
Collections.singleton(scopes),
userName,
password.toCharArray()).build();
IAuthenticationResult result = pca.acquireToken(parameters).get();
But this leads to the following exception:
com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Any ideas? Thank you
For this issue, you need to learn about the difference between ConfidentialClientApplication and PublicClientApplication.
Please see Public Client and Confidential Client applications.
Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to
safely keep application secrets, and therefore access Web APIs in the
name of the user only (they only support public client flows). Public
clients are unable to hold configuration time secrets, and as a result
have no client secret.
So for PublicClientApplication, we don't need a client secret.
What you need to do is (which you have found from this comment):
In the Application menu blade, select Manifest, and in the manifest editor, set the allowPublicClient property to true.
There is a completed sample with detailed steps here for your reference.
Besides, since you are trying to read an excel table, user.read permission is not enough.
Based on List rows Permissions, you need to add Files.ReadWrite delegated permission in the Azure AD app (app registration). And you should also specify it in your code.
All steps that I've done, so that it works:
I need to access a shared folder, so I needed to change the scope to "Files.ReadWrite.All" in my code.
In the list of pages for the app, select API permissions, click the Add a permission button and then, ensure that the Microsoft APIs tab is selected. In the Commonly used Microsoft APIs section, click on Microsoft Graph. In the Delegated permissions section, ensure that the right permissions are checked: Files.ReadWrite.All. Use the search box if necessary. Select the Add permissions button.
In the list of pages for the app, select Manifest, and in the manifest editor, set the allowPublicClient property to true, select Save in the bar above the manifest editor.
Login as a tenant admin to https://portal.azure.com. Open the registration for your app. Go to Settings, then Required Permissions. Press the Grant Permissions button.
I am trying to use Rest web API , to retrieve data.
When i am building and executing it using localserver, it is displaying the data.
But, when i publish it and use IIS to access it does not show any data. and shows this
"This XML file does not appear to have any style information associated with it. The document tree is shown below."
i am already using the same API for the functions of fileupload and they are working. Its just the matter of database, whenever i have to access database,it showing me the error above(This error means that no data is fetched).
Can you please help me with it?
Thanks in advance
The common reason behind the issue is iis user does not have enough permission to access the database.
To resolve the issue you can assign the database domain user which has enigh access to the database to the application pool by following below steps:
1)Open iis manager
2)select your application pool -> advanced setting.
3)Under Process Model, click on the “Identity” value and select “Custom account”.
enter your domain user name(DOMAIN\USERNAME) and password which user has to access to the database and click ok to apply the changes.
after applying changes select the application pool and click on the “Recycle”.
If you still face an issue you could refer below link for how to configure application pool user in SQL server.
https://forums.iis.net/post/2159167.aspx
I am getting a problem in implementing Field Level Security in CRM 2011. I am very new to this technology hence not able to resolve this problem.
This is the steps i have done -
1.Created an Entity names Inquiry.
2.On Form Under Entity created a field named 'Password' with EnableSecurity set to 'true'.
3.Then Moved to Administration -> Field Security Profiles -> Created a Profile named 'Inquiry'. Under Users Tab selected a User(Mike) and kept the Field Permissions as it is i.e 'No'.
4.Now on Login for User(Mike) the 'Password' should be seen encrypted. but it does not display as encrypted.
Steps used to Create User -
1.Under Users & groups created new user and assigned 'Service administrator'.
Please tell me if i missed out sum step or if i have done something wrong.
I think user Mike has System Administrator security role.
This security gives always full access to all secured fields, you can find more information here:
How Field Security Can Be Used to Control Access to Field Values in Microsoft Dynamics CRM
section Which Security Roles Allow You to See Secured Fields?
Hey i got the solution to my question.Posting it so that it may help the beginners like me.
All i did was -
Steps used to Create User -
1.Under Users & groups created new user and did not give the user administrator permissions.
2.Then Under Settings->Administration-> Users -> Selected the user and opened the Form.
3.Then choose Manage Roles from Ribbon menus and selected 'System Customizer' as the Security Role.
Rest process same for applying field security.
5.In the end logged in as a System Customizer and was able to see the changes.
Thank you #Guido Preito for the help.
I created external content type in the sharepoint designer and created a list. I went to the URL and when refresh the page the list appeared. When I click the list it is showing as
"Access denied by Business Data Connectivity. Correlation
ID:bab07ba2-5ac1-463c-ab8d-f4f2233fb26"
In Central admin i gave the permissions for my account to that external content type.
Still it is showing this message. What is the solution for this one.
Got the solution. Need to add the
"Set metadata store permission"
I added my user here. The list now generated with out any problem.
Thank you all.
Go to: Central Admin -> Manage Service Application (http://CentralAdminURL/_admin/ServiceApplications.aspx) -> Business Data Connectivity Service
Then select the External Content type you are looking for and make sure you provide permissions (buttons at the ribbon) to all authenticated users.
Regards
Ronald
I building a console app that runs under a normal user account to access sharepoint lists programmatically. In order to access Sharepoint objects the console application impersonates the user under the context of which the Sharepoint is running. The impersonation is successful but when I try to access any share point SPWeb objects the following error is given as follows
spWeb.ID = 'spWeb.ID' threw an exception of type 'System.Data.SqlClient.SqlException'
base {System.Data.Common.DbException} = {"Cannot open database \"WSS_Content_92\" requested by the login. The login failed.\r\nLogin failed for user 'DOM\USER'."}
Doesnt the imepersonation should have allowed to access to the underlying database and also do i need to explicitly grant access to the current user to give access to sharepoint lists etc.
Thanks in advance
In a console or windows app when accessing the object model - when you are impersonating the user then the database connection will be made under the users account credentials - so in effect you will have to give each of your users fairly high level permissions to access the database (or better make them a member of a group that has these permissions).
http://technet.microsoft.com/en-us/library/cc721638(office.12).aspx
This is different to the web app where the account used is the AppDomain account of the IIS site.
However - this is a very non-standard setup and is fraught with security risks - do you really want to give your users permission to access that database directly?
Instead can I suggest that you look again at your design - what are you trying to achieve?
Running the console application in the context of the same user as the application pool did the trick. So the solution would be to use the runas command.