Forms/AD Authentication with Sharepoint - security

All,
I'm configuring Sharepoint to use forms authentication with LDAP/Active Directory. I'm new to Sharepoint, so if this is obvious, please point me in the right direction.
Whenever I attempt to log in with a bad account or password, I get the very friendly (and correct) error message,
The server could not sign you in. Make
sure your user name and password are
correct, and then try again.
... which implies that Sharepoint is able to communicate with AD. If I log in with a valid account, I get a page that says:
alt text http://img63.imageshack.us/img63/6053/sharepointerror.png
(I added the grey bar to cover up the login name)
Any suggestions? The account I'm logging in with is an administrator and has been granted full control in central administration.
Also, interesting note: If I click the "sign in as a different user" link, and attempt to sign in using with the same credentials I just used, the site just redirects back to the login page, with no error or status message. If I then manually enter the site url, it again shows the "Error: Access Denied" page. Argh.

Go to site action of the actual site and add user in the format of
:loginid
It should resolve and show it underlined then try login in back to application that should fix it.
Your AD connection is working fine just need to add to sharepoint users list
yourprovider:userid
Yourprovider name is the name you gave to the user provider in web config
And you can add this user from parent site that is windows protected and you have all

I suppose it's sharepoint site security issue.
I'm getting the same error when trying to enter Site Settings page with a user that has a lack of permissions.
If you have at least one user that can access the Site Settings page, I suggest you to go to Site Actions/Site Settings/Users and Permissions/People and grops then click New button and add a user from AD to an appropriate group, eg. Team Site Members.

You have made connection with Ad and its working fine. So that you got error, when you try to login with invalid user id.
But you have missed one step in above scenario.
You need to give the permission for all AD users in your SharePoint site. The better way is to create a user group in AD (it may already there) which included all the users and add this user group in your SharePoint site with read permission.

Related

UnauthorizedAccessException for limited permissions user via REST API

not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features

SharePoint 2013 user profile service change homepage

I have a sharepoint 2013 farm that start and configure and sync user profile service on it successfully. now when each user browse site homepage first time, it shows a white page with 2 link that is go to site and change attribute, how could I disable this page?
I saw the same error when one of a user profile properties wasn't set. In my case the user's location wasn't set. If the user goes to edit user their profile and save it without any changes, it fixes the issue. In my case, only few users were affected by this issue. You can write script to update missing property for all the users.

SharePoint 2013 access denied error after successful login

SharePoint is showing strange behavior that when I use my Custom login page which is using the credentials entered to get authenticated by my Custom Security Token service (Trusted Identity provider) for SharePoint. When my Identity provider sends a response to SharePoint, it redirects me to this URL
http://WebAppURL/_layouts/15/AccessDenied.aspx
Which should not appear because my identity provider has authenticated it, I was messing around with things and then while doing that I changed my URL from the above mentioned to
http://WebAppURL/ (Got rid of _layouts/15/AccessDenied.aspx)
It worked now whenever I log into my sharepoint webapp I first get this access denied page and then I have to change my URL, I get all the claims sent by my Identity provider.
Now If anyone out there can help me with this redirection issue? The realm I am giving while registering my IP-STS with SharePoint I append
http://webappURL/_trust/default.aspx
and also tried
http://webappURL/_trust as well but no success.
Any help or suggestion is appreciated. Thank you.
It turns out that permission to the site collection master page gallery had been removed. So even though the users had permissions to the master page gallery on the subsite, they were getting access denied errors on the subsite. We're not sure how the permissions on the site collection master page gallery were removed.
or see if this helps here.
In my case, I needed to update the permissions on the /_trust directory to include Everyone with Read permissions.

SharePoint caches incorrect credentials

Every morning when i fire up my VM and IE (in my host OS) and go to my SP site it always logs me on automatically as DOMAIN\george which is a user I created for testing permissions.
So every morning after that I click "sign in as a different user" to sign in as my sys admin user instead and most days that is the only user I use. Any idea why george's credentials are being cached?
Part of "firing up my VM" is running a script that starts IIS as well as some services. I'm not entirely sure SharePoint is responsible for this, could very well be ASP.Net.
EDIT: I've already tried clearing my cookies.
Had a very similar problem! To solve it, go to 'User Accounts' under the Windows Control panel.
Navigate to 'Manage your network passwords'. Select the domain you wish to clear and select 'Remove'.
You should now have a clean login dialogue box and when you check the 'remember me' box, this will be stored as the login default for that domain.
I was able to remove the test login credentials using the User Account control panel applet in Windows 7
Open the Manage Credentials link.
Find the Sharepoint Login in the Windows Vault.
Expand the address for the site
Remove the test login for this site.
After doing this I am no longer prompted for the login and login as different user prompt.
Have you checked that there are no logins and passwords being stored by the browser? Assuming you are using IE, see this article on how to clear them.
If DOMAIN\george is same user ID you are logging in to the VM ? If that is the case try changing the Setting in IE that dictates what user name is send to the Server. Just go to Tools - > Settings - > Security and Click on Custom Level, scroll down to bottom and you will find User Authentication option Select the Prompt for User name and Password.
It could also be that you are using IE8, that caches my credentials as well it seems.
IE8 stores credentials for favourites it seems, don't ask me why. What you should do is log in as the needed user, then save a new favourite (or add it to the favourites bar by dragging it). Then use that link to go to your site.

MOSS FBA never asking for creds

I've set up FBA on an extended site, added a user, verified the central admin can read the users (people picker works fine).
The problem is no matter what I try I never get asked for credentials, just get a "You are not authorized to view this page". I have a feeling its something in IIS but I've added all anonymous accounts I can think of.
If I switch the authentication type back to windows it works fine.
I've read countless how-to's and I don't think I am missing a step, they all just end with "you should now see the login page" which I am denied from.
Any tips?
I downloaded http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en and ran it on my site, determined that someone (##$##$) changed the IUSR password and never logged it or updated it either way it's working now and I'd recommend this tool as it solved my issue in two seconds flat!
IF this is in IE, check your setting for User Authentication (all the way at the bottom) for the current zone in Internet Options. That happens when the setting is Automatically Logon with Current User ID and Password, rather than Prompt for User Name and Password.
Creating the user in the FBA store is one thing, and giving that user access in SharePoint is another. Did you make the user a site owner for the site you are trying to access?

Resources