Has anybody experienced Sharepoint always returning true for rlAuthorizationModule.CheckUrlAccessForPrincipal even if the virtual path is not configured to allow anonymous access. Is there an alternative method to check for anon access in SharePoint?
Security Note: If the UrlAuthorizationModule is not defined in the httpModules configuration section for the application, the UrlAuthorizationModule always returns true.
Please see the following url:
http://authors.aspalliance.com/aspxtreme/sys/web/security/UrlAuthorizationModuleClassCheckUrlAccessForPrincipal.aspx
Long shot, but two things you could check:
Is your virtual path inherriting anonymous access from a higher level path?
Are you checking the anonymous user or are you checking a user principle that has access?
When anon access is enabled on Sharepoint for a site the method will always return true.
Related
Currently we (myself and my company) have an asp.net mvc4 page. We wish to utilize a logon page which authenticates via AD. One requirement being with an unsuccessful attempt we give back some information to the user.
The information we would like to have would be something like:
Invalid user/pw
Account is locked
Password expired
This is unfamiliar territory so I'm not sure what .NET libraries may be available. So far I've only come across the System.DirectoryServices but it doesn't seem I will get results beyond a bool.
Is this possible? Any references, suggestions, or examples would be greatly appreciated!
You can use PrincipalContext.ValidateCredentials to validate your credentials first. If false is returned, use the static UserPrincipal.FindByIdentity to find your user then, if found, look to see if the account is locked out using IsAccountLockedOut().
You might need to extend UserPrincipal yourself to see if the password is expired, I'm not seeing a direct property/method. You can extend it to access the userAccountControl attribute directly and check to see if bit 0x800000 is set, which is PasswordExpired. Here is more information on the userAccountControl values.
Suppose you have code like this
try
{
SearchResult result = searcher.FindOne();
}
catch(Exception e)
{
// now what?
}
Now in Exception you can deal with LDAP exception type, Here is the List of all LDAP error's.
http://msdn.microsoft.com/en-us/library/aa746530(v=vs.85).aspx
You can identify on the basis of ADSI Error Value which type of error you are getting.
But according to me you should give user a single common error like invalid credentials because LDAP error are much hard to deal with.
Cheers.!!
I'm creating a service on a machine in C# via a win32 API call to CreateService. The MSDN page for that function says about the lpServiceStartName param:
The name of the account under which the service should run. If the
service type is SERVICE_WIN32_OWN_PROCESS, use an account name in the
form DomainName\UserName. The service process will be logged on as
this user. If the account belongs to the built-in domain, you can
specify .\UserName.
On the remote machine, the user myuser belongs to the default local domain WORKGROUP. If I pass ".\myuser", everything works fine. If I pass "WORKGROUP\myuser", I get ERROR_INVALID_SERVICE_ACCOUNT.
I'm curious about this behavior, as the above docs seem to say I can specify .\myuser, not that I must. Can anyone shed any light on this?
First of all, I'm not an expert in windows account management, and I may get a few downvotes here, but here is what I noticed when I was testing windows services log on identities.
As documentation states, you can specify ".\UserName" if the account belongs to the built-in domain. Built-in domain includes groups and users created when OS is installed (link).
So instead of ".\UserName", you can specify "BUILTIN\UserName" since BUILTIN is the name of the built-in domain.
In practice, it worked for "BUILTIN\Administrators" and "BUILTIN\Guests", but it didn't work for user "BUILTIN\Guest".
If you try to create a new local group and local user and set it as a log on identity, you will still see it in a form ".\UserName". This may be inaccuracy in documentation, but in any case, for local user accounts that are not built-in accounts you can replace the dot with machine name: "MACHINE\UserName".
Was curious if there was a way to check if a user is authenticated before making a method call and then returning a custom object and not completing the call if they aren't. For example:
We set the user principal in the Application_PostAuthenticateRequest in the global.asax to the user making the request if they are authenticated or to an anonymous user if they aren't. Currently in all methods that require authentication we have something similar to the following code:
public Result GetSomeObject()
{
if (HttpContext.Current.Request.IsAuthenticated)
{
}
}
Bottom line: We want to be able to check IsAuthenticated BEFORE we let WCF get inside the method on methods that require authentication, and if true, continue, if not, return a Result object (JSON) with an authentication error.
What you need to develop is called ServiceAuthorizationManager in WCF. You can find more information about this on:
http://pieterderycke.wordpress.com/2011/04/07/implementing-restricted-access-to-a-wcf-service-with-the-serviceauthorizationmanager/
You can write a custom httpmodule to intercept the requests to the service layer and do the authentication in there.
This article may be a starting point for what you are looking for: http://pieterderycke.wordpress.com/2010/12/04/extending-wcf-creating-a-logging-component/
I am trying to make use of the active directory membership rather than SQL but there is very limited documentation available online. I have managed to connect my application to the domain controller without any problems but when you use "Context.User.Identity.Name" it comes up with DOMAIN\User. I want to basically drill down and get information such as full name, e-mail address, etc.
I just need a useful link and the searching I have done doesn't appear to have got me anywhere!
Many thanks
This should give you a bit of a clue: http://msdn.microsoft.com/en-us/library/ms973834.aspx
and here is a list of LDAP properties that you might want to play around with in the search result: http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm
Have you tried with this doc?
http://msdn.microsoft.com/en-US/library/system.web.security.activedirectorymembershipprovider%28v=vs.90%29.aspx
Can help?
If you are making use of Active Directory then you are likely using Windows Authentication. If so, all you need to do is:
Reference System.DirectoryServices.AccountManagement
In code (perhaps a controller action or model constructor)
// establishes your domain as the context for your user lookup
var principalContext = new PrincipalContext(ContextType.Domain, "domainName");
// gets the current user's UserPrincipal object
var userPrincipal.FindByIdentity(principalContext, #User.Identity.Name)
// example
var email = userPrincipal.EmailAddress;
Note:
This works because Windows Authentication means User.Identity on the current HttpContext is a WindowsIdentity and thus its Name property can be used to search AD.
You aren't limited to looking up the current user. You can use FindByIdentity() to search any value passed, and this method exists on other principals (ex. GroupPrincipal). You can also designate you wish to search by another type such as SID instead of Name.
Enjoy!
We use Sharepoint as CMS for our webpages at work. I know how to create controls that can be only visible if you have logged in in SharePoint with:
<Sharepoint:SPSecurityTrimmedControl ID="SPSecurityTrimmedControl1" runat="server" PermissionsString="AddAndCustomizePages"><br />
<Sharepoint:CssLink ID="CssLink1" runat="server"/><br />
</Sharepoint:SPSecurityTrimmedControl>
But I want to know how to make controls visible (or whatever) programmatically depending on permissions.
I cannot use the methods for .NET windows form authentication like:
if (!(HttpContext.Current.User == null) && HttpContext.Current.User.Identity.IsAuthenticated){}
because we use this for anonymous users who has another type of log in.
Could you provide some code? I know that it must be something like verifying the SPContext.Current.FormContext.
How are the users authenticated? With forms authentication or Windows/active directory?
If active directory, then I think in that case you might need to get a reference to the current SPWeb, and then do web.CurrentUser.ID. This might come out null when you are anonymous. If not, try web.SiteUsers.GetByID(web.CurrentUser.ID) and see what you get.
DoesUserHavePermissions
You can use this method on the current web to check if the current user has a specific permission.
I assume your authenticated users have some permission to check for that the anonymous crowd is denied.
Although I haven't tested it, I imagine the LoginName property of the SPUser object will be blank, or throw an exception.
... of course, its never safe to presume anything when dealing w/the SharePoint OM :(