Synopsis:
I need to access the calendar events for a user that has delegated their calendar access to me on the company Exchange Server. The delegation is in place and I'm able to view/modify the other users calendar using the Outlook 2007 client, so I know the delegation rights are correct, however I'm not able to query the events using the ColdFusion cfexchange* tags.
According to the ColdFusion documentation this is possible, see http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec14f31-7ff6.html
Systems:
ColdFusion 10 Enterprise x64 Update 0 running on Ubuntu Server 12.04 x64 LTS
Exchange Server Standard 2010 SP 1 running on Windows Server 2008 R2
Outlook 2007 running on Windows XP Professional SP3
Details
The following code is what I'm using, with the specific and sensitive bits removed. If I remove the mailboxName attribute, or if I use the same username value, then I'm able to successfully see 25 of my calendar events. However when I use the mailbox name of the person who has delegated their calendar access to me I receive the error below.
The other user delegated access to me from within their Outlook 2007. They did this by going to the Tools menu, selecting Options, clicking on Delegates then clicking the Add button, selecting my name, clicking the Add button, clicking the OK button and then giving me Calendar = Editor permissions and None for all other permissions.
I should also note that if I use an Exchange account that has been granted Exchange Administrator rights and access to the other users mailbox I'm able to see the other users events. However if I try to use my credentials, which is the way we need it to work, it fails.
Code:
<cfexchangeConnection
action = "open"
connection = "myExchangeConnection"
username = "myUserName"
password = "mySecr3t"
server = "exchange.company.com"
formBasedAuthentication = "yes"
formBasedAuthenticationURL = "https://exchange.company.com/owa/auth/owaauth.dll"
protocol = "https"
serverversion = "2010"
mailboxName = "otherUserName"
>
<cfexchangecalendar
action="get"
name="myCalendar"
connection="myExchangeConnection"
>
<cfexchangefilter
name = "maxRows"
value = "25">
</cfexchangecalendar>
Error Message
Detail The specified object was not found in the store.
Message Could not connect to the exchange server with the credentials.
StackTrace coldfusion.exchange.webservice.EWS
Exception: Could not connect to the exchange server with the credentials. at coldfusion.exchange.webservice.EWSConnection.login(EWSConnection.java:1777) at coldfusion.tagext.net.exchange.ExchangeTag.createConnection(ExchangeTag.java:499) at coldfusion.tagext.net.exchange.ExchangeConnectionTag.doEndTag(ExchangeConnectionTag.java:70) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2800) at cfindex2ecfm2100699610.runPage(/mnt/hgfs/ftcr/index.cfm:72) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:244) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:444) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:64) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:443) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:112) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151) at coldfusion.CfmServlet.service(CfmServlet.java:204) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:928) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:414) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:539) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:300) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662)
I was finally able to get this to work. The fault doesn't appear to be with the code posted above but rather a lack of clarity in the Adobe documentation and an adjustment in the access rights that user "otherUserName" has to grant to "myUserName".
The section "Managing connections to the Exchange server" in the "Developing ColdFusion 10 Applications" documentation states "you can also connect to any mailbox whose owner has delegated access rights to the login user name". I understood that to mean that if the owner delegates just calendar access rights to my user account that I can query their calendar. However this doesn't appear to be the case. The user had to delegate both calendar access and inbox access to my user account before I was able query just their calendar events.
The other way I found to accomplish this is by creating an Exchange account with Exchange Administrator privileges and granting it access to the users mailboxes. I would then use this Exchange account for the username and password in the cfexchangeconnection and could query the events of any users that the Exchange account had access to.
Related
I use Microsoft Authenticator for my MFA needs. When I log into O365 and need a second authentication factor it will send the request to my device where it prompts me to accept or reject the login there. Even better, I can accept it on my watch without taking my phone out of my pocket. I can also key the code from the Authenticator app into the browser where I'm trying to access the O365 service, but the prompt works most of the time.
I recently started working with AWS and using their MFA setup and added it to Microsoft Authenticator. Whenever I start a new AWS session I'm prompted for my MFA code, which I can retrieve from the Authenticator app, but it doesn't have the oh-so-convenient prompt on my phone and watch that I can just click to say "authorize". Is there something I can do to make AWS prompt me to approve logins via my phone, or is that some sort of Microsoft-only access that O365 has? Or can I get that functionality from a different authentication app?
I'm following the tutorial from here: https://community.snowflake.com/s/article/Amplifying-Outcomes-with-Snowflake
In PowerBI Desktop, I'm trying to "Get Data" and receive the following error: Details: "ODBC: ERROR [28000] Role 'POWERBI_ROLE' specified in the connect string is not granted to this user. Contact your local system administrator, or attempt to login with another role, e.g. PUBLIC.
ERROR [28000] Role 'POWERBI_ROLE' specified in the connect string is not granted to this user. Contact your local system administrator, or attempt to login with another role, e.g. PUBLIC."
In snowflake I've added the role to the user by using the query:
ALTER USER POWERBI_USER_ACCOUNT SET DEFAULT_ROLE=POWERBI_ROLE;
I've done this multiple times in snowflake, and did not receive an
error.
I've tried editing the ODBC connection in the "ODBC Data Source
Administrator (64-bit)" WIndows OS pref pane, and used the role
PUBLIC as suggested, but still receive the same error.
Any suggestions?
Also, does snowflake provide technical support, or are users left to post in public forums for technical support? A bit confused.
You need to run the following to grant the role to the user
GRANT ROLE POWERBI_ROLE TO USER POWERBI_USER_ACCOUNT
Looks like the article is missing this step.
Snowflake does provide tech support, you need to work with your account rep to set it up.
I am trying to link flow with office 365 outlook, every time I try and authorise the connection I get;
OAuth2Certificate authorization flow failed for service 'Office 365
(Discovery, Certificate)'. O365 discovery endpoint returned status code 401
(Unauthorized). Response:\r\n{"error":{"code":"-2147024891,
System.UnauthorizedAccessException","message":"Access denied. You do not have
permission to perform this action or access this resource."}}
I am the owner of the office 365 and this is a home account not a business one, I am not sure if this makes a difference.
Hope someone can help
I've also faced the same issue and now it's working fine after switching to "Outlook.com". The below is from the official documentation:
> For Azure work or school accounts, select Office 365 Outlook.
> For personal Microsoft accounts, select Outlook.com.
So, I think one need to use "Outlook.com" for the home account.
We have the WSO2 API Manager deployed and working, although we are unable to figure out an issue about users addition. We want to add the users via the management console (Carbon) and after being added we want the user to receive an email saying that his/her account was successfully created.
Although there is documentation for a workflow extension when the user signs up, we were unable to find any documentation regarding the matter we've pointed out, is this possible to achieve via the API Manager or with some kind workflow extension?
Thanks in advance!
EDIT: We are using WSO2 API Manager 1.10.0.
If your requirement is to create a user through the management console and allow the created user to define a password, you can configure APIM server to support 'Ask password from user' feature. (In this feature, APIM server administration can create a user through the management console and provide the email address of the user, so that user can set the password through the redirection URL provided in the email). To configure 'Ask password from user' feature follow the instructions given in https://docs.wso2.com/display/IS510/Creating+Users+Using+the+Ask+Password+Option.
If you want the APIM server administrator to set the username and password through the APIM management console and only send a notification to the user that his/her account is created successfully, then you have to write a custom component, because this is not supported by default.
BCS Security trimming with an ADFS login to SharePoint 2013 is not working for me with a custom connector. By not working I mean that when logged in via windows authentication, a user that has access to these BCS records can see them in search (this is correct). The same user logged in with ADFS cannot see these same records in search (this is not correct).
The setup I have is SharePoint 2013 on Windows 2012 R2 with ADFS. A SQL server database is being crawled via BCS with a custom .NET connector. The connector provides security trimming at crawl time by adding ACLs. The ACLs are created based on an AD Security Group that has a number of AD users as members (the logged in user is one of these members). The AD Security group is included as part of the claim and shows up as follows:
<saml:Attribute AttributeName="Group"AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>BCSSecurityGroup1</saml:AttributeValue>
</saml:Attribute>
BCSSecurityGroup1 is the AD Security Group that contains the users.
The odd thing is that even if I give everyone access to these records within the ACL (i.e. using WellKnownSidType.WorldSid), the ADFS logins still do not get these items returned in search. Even stranger is that if I go to the url for the BCS profile page for the record(s) in question, the ADFS user does have access.
Here is the question. What do I need to do to have search results reflect the ACL added security at crawl time?
As it turns out, this is actually pretty straightforward to get working. First, the AD Security Group was changed to individual AD users for troubleshooting purposes (domain\username). Looking at how the ACL is built in the connector, the domain account is used to get the SID, and the SID is then used to build the ACL. Ah ha! so the missing link is that with the AD FS claim, the SID is not being mapped. This was determined by using the Fiddler plugin to show claims under the inspector tab - http://identitymodel.codeplex.com/releases/view/52187.
Adding the SID claim in AD FS is done as a claim rule. Add a claim rule from the "Pass Through or Filter an Incoming Claim" template. Give it a name, select "Primary SID" for the Incoming claim type, and ensure that "Pass through all claim values" is selected. Restart the AD FS service for peace of mind. Also, this assumes that the Trusted Identity Token Issuer in SharePoint was created with a SID claims mapping.
In my case, I had to run another crawl on the BCS content source due to changing back to user names from AD security groups. Although I have not yet tested this, AD security groups should work the same way, but by passing through the Group SID. Hope this helps someone in the future. Cheers!