Sharepoint UserProfileService - sharepoint

I've got a sharepoint site and a custom aspx portal, both under Windows Authentication.
With the same machine, it happens that my sharepoint site returning me my current login, while my custom aspx returning me my domain admin account instead.
Is there anyway that I could ensure both logins are the same? Otherwise, is there anyway to consume SPUserProfileService from a custom aspx portal?
Mainly, I need to have the custom aspx portal to get sharepoint logon id. Nevertheless, i could still trigger AccessDenied.aspx in sharepoint to prompt for logins.

When you say "Custom ASPX Portal", is it still hosted on the SharePoint Site?
In that case, how do you get the user? You can use SPContext.Current.Web.CurrentUser to get the user.

It seems that you are connecting from your custom aspx to SharePoint using your Domain Admin Account.
Could you please describe more about your custom aspx portal and the way you are reading the username?
However, you can check my article (Even though it is for FBA users, you may find the code snippet useful):
Possible ways to get logged in User Name & Handling Changes in FBA Users' Names if Membership Provider Name Changed
public string GetFlatUserName()
{
//First, be sure that the user is not anonymous user:
if (SPContext.Current == null || SPContext.Current.Web.CurrentUser == null)
return "Anonymous";
//Second, parse it:
else
{
string flatUserName = this.Page.User.Identity.Name;
if (flatUserName.Contains("\\"))
{
flatUserName = flatUserName.Substring(flatUserName.IndexOf("\\") + 1);
}
else if (flatUserName.Contains("|"))
{
flatUserName = flatUserName.Substring(flatUserName.IndexOf("|") + 1);
}
return flatUserName;
}
}

Related

Redirecting to error page when clicked on the cancel button on admin consent

Hi I am developing web application. I am using Azure active directory for login process. I am working on admin consent. I am able to redirect to admin consent and give the consent. In admin consent page,whenever i clicked on the cancel button in admin consent I am redirecting to error page.
Below is the url I am redirecting when clicked on the admin consent page.
https://mywebsite.net/adminconsent?error=access_denied&error_description=AADSTS65004%3a+The+resource+owner+or+authorization+server+denied+the+request.%0d%0aTrace+ID%3a+7798f669-f82d-4b55-8c9b-1259142e1900%0d%0aCorrelation+ID%3a+82764c15-3e79-4905-840b-952af3dfe6fc%0d%0aTimestamp%3a+2018-09-07+13%3a30%3a42Z
Can someone help me to identify the root cause of the issue? Any help would be appreciated. Thank you.
You're getting the relevant error code back from Azure AD - 65004, telling you the root cause, that Admin has declined to consent. Description is visible in the URL and if you can confirm the meaning of error code by looking it up here -
Sign-in activity report error codes in the Azure Active Directory portal
65004 User declined to consent to access the app. Have the user retry
the sign-in and consent to the app
Update about displaying a meaningful error page
You haven't mentioned what is it that you're using to write your web application. In any case, I tried out a quick ASP.NET MVC web application with similar setup and I clearly get back the response in query string parameters. All you need to do is, read the query string from the URL (I have HttpRequest.QueryString collection in my sample) and check for error/error_description.
Here is a quick sample code on doing that in the MVC controller..
public class AdminConsentController : Controller
{
// GET: AdminConsent
public ActionResult Index()
{
if (Request.QueryString.AllKeys.Contains("error")
&& Request.QueryString.AllKeys.Contains("error_description"))
{
string errorDescription = Request.QueryString["error_description"];
if(errorDescription.Contains("AADSTS65005"))
{
//Do something good about it..
}
}
//if no errors, simply return the view
return View();
}
Since you mention Angular 5.. here's a quick sample for that.
Take a look at this SO post for multiple options
ngOnInit() {
this.param1 = this.route.snapshot.paramMap.get('param1');
this.param2 = this.route.snapshot.paramMap.get('param2');
}
And if you don't want to use anything fancy, plain old window.location should always work from client side. May not be the recommended way though.
window.location.href

SharePoint custom security group is missing in Site Permissions

I have written a piece of code to create a custom security group in a SharePoint app. the code runs on feature activation at Site level and is as follows:
public override void FeatureActivated(SPFeatureReceiverProperties properties)
{
SPSite site = (SPSite)properties.Feature.Parent;
using (SPWeb web = site.OpenWeb())
{
if (!GroupExists(web.SiteGroups, "Test Column Administrators"))
{
web.SiteGroups.Add("Test Administrators", web.AssociatedOwnerGroup, null, "Contains users and groups who can administer Test Column articles.");
web.AssociatedGroups.Add(web.SiteGroups["Tets Column Administrators"]);
web.Update();
}
}
}
The code does create that group and adds it to the SharePoint site however when I go to Site Actions->Site Permissions (_layouts/user.aspx page), that group is missing. But when I manually go to the groups.aspx page (_layouts/groups.aspx) it is there.
How can I get my code to create that group in such a way that it appears in the user/aspx page as well?
Thanks in advance
That is completely OK. The Groups page displays the list of groups that actually exist in the Site. And the page Users.aspx displays what Permissions the principals have within this Site. Your code is OK but you have to add more code that grants permissions to your group if it needs permissions. When your group has permissions within the site it will appear on the Users.aspx page. See a sample how to add permissions to and item, same is for Site level and web level.

impersonate as different user inside the webpart code

I use the sharepoint lists as a database.
I want to somehow impersonate as different user inside the webpart code
and than as this user I will have both write and edit permission to the list.
My goal is to be able to have full premission only through the webpart code.
I am using MOSS 2007.
SPSecurity.RunWithElevatedPrivilieges() will execute your code as the system account, i.e. the account under which the application pool runs, which might or might not be what you want to do. For example, if you have a workflow attached to the list which is supposed to trigger when new items are added to the list, it will not fire if you insert a new list item under the credentials of the system account (this was a security fix introduced in SharePoint 2007 SP 1). In that case you will have to perform the insert operation under a different account that has the correct permissions on the list.
You can get the UserToken for any user using the following code:
SPUserToken userToken = null;
SPSecurity.RunWithElevatedPrivileges(() =>
{
using (SPSite site = new SPSite(SPContext.Current.Site.ID))
{
using (SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))
{
userToken = web.AllUsers["domain\\username"].UserToken;
}
}
});
Replace the "domain\username" with the correct windows account name. Then you can pass this user token to one of the overloads of the SPSite object constructor to execute the code under this user's credentials like so:
using (SPSite site = new SPSite(SPContext.Current.Site.ID, userToken))
{
using (SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))
{
// This code will execute under the credentials of the userToken user
}
}
Hope this helps.
You are looking for SPSecurity.RunWithElevatedPrivileges Method.

FBA on Sharepoint 2010

I have implemented FBA (Claim based Authentication) on Sharepoint 2010. Following are implemented.
Custom Login page
Custom Sign-in Page
Password recovery page (ForgetPassword.aspx)
In ForgetPassword page user is asked to enter their email address, they used while sign-in and in code behind I am using this email to get the UserName using the Membership.GetUserNameByEmail function and then passing this username to Membership.GetUser function to get the user credential to be send through mail.
But now the code throws as exception saying "The function is not implemented". I am wondering; I am not using any custom database for which I had to create a Custom Membership Provider. Then why I am getting this error. Let me know if anyone has any clue or faced similar problem. Thanks.
Regards,
Paddy
When FBA is configured for SharePoint 2010, two membership providers are defined in the web.config file - Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider (usually named i) and System.Web.Security.SqlMembershipProvider (named FBAMembership in this case). Default membership provider must be set to the former (i.e. SharePoint claims one) in order for FBA authentication to work properly.
When the line containing Membership.GetUserNameByEmail(...) is executed, the default membership provider is used and as a result SPClaimsAuthMembershipProvider.GetUserNameByEmail is called. MSDN says that this method is reserved for internal use and is not intended to be used directly from your code and according to the comment in the Community Content section it throws NotImplementedException.
You need to retrieve an instance of the SqlMembershipProvider provider from the Membership.Providers collection and then call the GetUserNameByEmail method using this instance.
I use prefixes when configuring providers in the web.config file and the retrieve them like this:
string applicationNamePrefix = "fbaProvider_";
MembershipProvider fbaProvider;
foreach (MembershipProvider provider in Membership.Providers)
{
if (provider.ApplicationName.StartsWith(applicationNamePrefix, StringComparison.InvariantCultureIgnoreCase))
{
fbaProvider = provider;
}
}
throw new InvalidOperationException("Appropriate provider was not found.");

SharePoint WebPart Permissions

Hi I am using the SharePoint namespace for a webpart and I encounter some permission errors when I try to use the System account. Is there a way I can use a defined user instead of the system account?
Right now I have:
SPUserToken sysToken = SPContext.Current.Site.SystemAccount.UserToken;
using (SPSite site = new SPSite(_SPSite, sysToken))
I want to be able to use an account on the domain instead of the System account, thanks for any advice.
You may need to use RunWithElevatedPermissions to get access to the System account to work, as per the following blog post:
http://solutionizing.net/2009/01/06/elegant-spsite-elevation/
You can use the SPUserCollection
SPContext.Current.Site.RootWeb.AllUsers
to get all of the users on the site, and get the SPUser from there. Once you have the SPUser you can get the UserToken.
What are you trying to do? If you don't use a token, the web will be opened with the same permissions as the current user
/* runs as user requesting the web part */
SPSite site = SPContext.Current.Web.site
or you can wrap it in the RunWithElevatedPrivileges delegate
/* runs with admin privileges */
SPSecurity.RunWithElevatedPrivileges(
delegate()
{
using (SPSite site = new SPSite(SPContext.Current.Web.Site.Url))
{
//do stuff
}
}
);

Resources