There is a web service application hosted On IIS 7.5. Authentication mode is Windows. When calling web services through my application, useDefaultCredentials atttribute on web service client is false. So web service call made on behaf of anonymous user. And also anonymous authentication mode enabled on IIS for the web service application.
To call web services successfully, I have to give read permission to everyone on folder which the web service application resides. But this causes to folder can be reached and read from everyone.
How can I hide the folder to be seen by everyone in this case?
If I am not successful to describe the issue, I can give you detailed explanations of specific points you want to understand.
I found the solution. I granted read permission for the built-in IUSR account and removed read permission for the everyone. So in this way, anyone on the domain cannot read the folder contents anymore.
Related
I have a provider hosted app (a normal asp.net web forms application) deployed on a typical web server IIS 7.5.
While launching the app from SharePoint Site in Office 365 Multi Tenant, it's throwing the below issue on App launch.
On capturing details using Fiddler, found the following when the app is launched
SPAppToken=&SPSiteUrl=https%3A%2F%2Fabc.sharepoint.com%2Fsites%2Fspdev%2Famsdev%2Famitamsdev&SPSiteTitle=amitamsdev&SPSiteLogoUrl=%2Fsites%2Fspdev%2FSiteAssets%2Flogo.gif&SPSiteLanguage=en-US&SPSiteCulture=en-US&SPRedirectMessage=EndpointAuthorityMatches&SPCorrelationId=31477a9c-2902-204a-8393-67eced1a10b8&SPErrorCorrelationId=31477a9c-2902-204a-8393-67eced1a10b8&
SPErrorInfo=The+requested+operation+requires+an+HTTPS+%28SSL%29+channel.++Ensure+that+the+target+endpoint+address+supports+SSL+and+try+again.++Target+endpoint+address
The SPErrorInfo Part is interesting. I am unable to confirm whether we really need the remote site to be configured for https?
Additional Information - Identity Provider is ACS and it is a low trust app.
Can someone suggest?
Regards,
Nitin Rastogi
In a production environment, you should always be using HTTPS. If you don't, you're exposing yourself (and your organization) to many risks.
If this is your development environment and you are confident this isn't an issue, you may want to look at the accepted answer to this question on the MSDN forums, which mentions the same error message. Their solution to bypass the HTTPS checking:
$c = Get-SPSecurityTokenServiceConfig
$c.AllowMetadataOverHttp = $true
$c.AllowOAuthOverHttp=$true
$c.Update()
When packaging the SharePoint App from Visual Studio, you must ensure that the URL you use is using HTTPS:
In IIS, add an HTTPS binding to the site to achieve this. You would have to reupload the App to SharePoint after packaging it with the new HTTPS URL.
More information here.
How do you put web services into maintenance mode?
I've tried the app_offline.htm, doesn't seem to work well for web services. Does work for web site though.
app_offline.htm worked fine for web sites, but not for web service. When I called an web service function via code that's supposedly under maintenance (put the app_offline.htm under the root directory of the IIS web service), I still got the proper response as usual.
Ideally I would like the web service that's under maintenance to return to me a message like "under maintenance".
You can edit your Global.asax as suggested by this answer to another question. Then trigger it by setting a flag when you are in maintenance mode
In my opinion, when a service is unavailable, you should respond with a 503 Service Unavailable status; but you can do anything you like with the response.
Create a utility function for your web services, which checks for the presence of app_offline.htm at your website's root path, and responds accordingly.
Note that if you wanted to get fancy with it, you could use a part of the WCF pipeline (assuming you're using WCF and not the legacy .ASMX services) to modify your services/methods by using an attribute (eg, this method).
hi
i'm provide a web application and on it, i develop a web service. but when calling web service it's going to login page automatically.
i have an authentication tag on web.config file that protection property set by "All".
i want when i call web service, it should load without login and another page have this security.
please help me.
Create a folder in your website - "WebServices". In that folder create a web.config file in which allow anonymous access to the content i.e. Allow All.
I have published my site and an exception is thrown but no error files are generated in the App_Data folder. I am wondering whether its write access to the folder.
The documentation says the ASP.Net process needs write access but not sure what is meant by that. Can someone tell me which user needs rights to this folder?
Thanks
UPDATE: I have found that the ASP.Net process on Win 2003 is the user NETWORK SERVICE. Is that correct?
On Windows Server 2003 (IIS6+) and higher it is NETWORK SERVICE. On IIS 5 and below it is the ASPNET user account that needs the required access.
It's whatever user is the identity of the application pool your app is running in. Typically this will be Network Service, but it could be a different account if your hosting administrator has set it up that way.
I'm getting an error when attempting to call SharePoint's webservices on one of our platforms. To start, we have Development (DEV), Testing (QA) and Production (PROD) SharePoint servers. The QA and PROD servers are pretty much identical. We have an ASP.NET web service that sits out as a seperate application on each of them. Our data entry forms hit the web services to insert/update into a SQL database and in some cases make calls to some of SharePoints web services (lists, dws).
We’re having trouble calling SharePoint’s web services on PROD from our web services however, have no problems on QA(or DEV). In our web service code we have a web reference to the SharePoint web services (lists and dws). We attempt to call these web services to create list items/folders when a new entry is made through one of our forms. On QA, there is no problem creating the list items/folder. The form is filled out, calls our web services – which call the SharePoint web services and the list item/folder is created.
On PROD we get the following error when we attempt to call the SharePoint web services:
Unable to connect to the remote server
at System.Net.HttpWebRequest.GetRequestStream()
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
...
However, to make it more interesting, if I call the PROD SharePoint web services directly from my personal computer I have no problem creating the list items/folders. We only have the problem when our web service attempts to call the PROD SharePoint web services. We’ve looked through many different web.config files looking for differences on QA and PROD and are yet to come up with anything.
If anyone has any pointers, they would be greatly apppreciated. Thanks.
Update: I just attempted to refactor the above method to use the SharePoint Object Model API and I'm getting an unauthorized error. When using the Object Model API the credentials do not seemed to be passed properly, because it's attempting to use the MOSS Server credentials. Is there any way to tell it which credentials to use as you do with the web service api?
docLibList.Credentials = System.Net.CredentialCache.DefaultCredentials;
Thanks.
Sean,
I'm not sure I completely understand your calling pattern, but if you are indeed looping back to web services on the same box, you might be running into the infamous loopback issue:
https://serverfault.com/questions/32345/ie-8-authentication-denied-on-local-sharepoint-site/32485#32485
In short: executing hostname-based HTTP calls that loopback to the server from which they're issued can get blocked. If the loopback issue is in-play, you'll be able to call the web services in PROD from another box ... but not from the PROD box itself (i.e., looping back). I think this is consistent with the behavior you described above.
If Windows patch levels are different between your environments, it might explain why your code is failing in PROD but not in your other environments.
I hope this helps!
This probably is not the problem, but is your reference to the web service pointing to the production server correctly. I had a problem before when trying to access a SP service that was referenced incorrectly. The dev server I was pointing to was on a seperate domain and could not be found.
Regarding the update to your question about the unauthorized error using the object model:
Depending on the context that your code runs in you will sometimes need to elevate privileges. See this Elevation of Privilege MSDN article for details (also note the community comment at the end). There's also a Visual How-To.
Another method is to create a new SPSite object using a SPUserToken object. There is more information in this blog post by Daniel Larson. For the system account this would be done with the code:
SPSite site = new SPSite(SPContext.Current.Site.ID,
SPContext.Current.Site.SystemAccount.UserToken);
By the way, this would be better in its own question next time so that it can be correctly voted and answered.