manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Lugert <>
Subject Re: Sharepoint
Date Tue, 26 Feb 2013 22:11:03 GMT
Ok cool.  I don't have a C# build environment setup to build the SP plugin, hence why I haven't
tried this.

From: Karl Wright <>
To: Mark Lugert <> 
Cc: "" <> 
Sent: Tuesday, February 26, 2013 5:04 PM
Subject: Re: Sharepoint

MCPermissions passes on all "Web"-type requests to Permissions.asmx.  Which is why this is
puzzling.But maybe not.  Have a look at this code:                       
service.Url = SPContext.Current.Web.Url + "/_vti_bin/Permissions.asmx";                       
service.Credentials = System.Net.CredentialCache.DefaultCredentials;                       
retVal = service.GetPermissionCollection(objectName, objectType);I'd love to see what SPContext.Current.Web.Url
is.  I supposed it is possible that it is coming in as "/", in which case the service URL
is "//_vti_bin/Permissions.asmx" for the check - and only for the check - which might be causing
the error.  Nobody else has reported this, though, which leads me to believe that url rewriting
is occurring on most systems (but not all).It's easy enough to come up with a modified plugin
that avoids the double "//"... Hold on a moment and
 I'll have somethign you can try.Karl 
On Tue, Feb 26, 2013 at 4:55 PM, Karl Wright <> wrote: 
The flag is not well named.  The calling code looks like this: 
>      proxy.checkConnection( "/", supportsItemSecurity );"supportsItemSecurity" is
set on both SP 3.0 and 4.0.
>On Tue, Feb 26, 2013 at 4:41 PM, Mark Lugert <> wrote: 
>It's ootb sharepoint and IIS.  It being in Amazon is really the only unique thing about
>>And yes, not sure why that one call fails, but others succeed.
>>But, in the code it's doing a if(sp3)
>>But, I'm using SP 2010.  Why is if (sp30) even called?
>>From: Karl Wright <> 
>>To:; Mark Lugert <> Sent: Tuesday,
February 26, 2013 4:39 PM
>>Subject: Re: Sharepoint
>>Another point is that your change ONLY affects the "check" function - which is for
the UI display only.  If you made no further changes elsewhere in the code I am at a loss
as to why MCPermissions works in some circumstances but not others.  Perhaps a redirection
is interfering with your ability to reach the root node of the site?Karl 
>>On Tue, Feb 26, 2013 at 4:36 PM, Karl Wright <> wrote: 
>>Well, you are not actually using the MCPermissions service with this change.  Permission
fetches will therefore not include Folder or File security tokens.  If this is SharePoint
2010, you will also have had to tell it you were using SharePoint 2007 in order to be able
to list files properly.
>>>On Tue, Feb 26, 2013 at 4:20 PM, Mark Lugert <> wrote:

>>>In the code I see this:
>>>> // This fails:MCPermissionsWS aclService = newMCPermissionsWS(baseUrl+ site,
userName, password, configuration, httpClient);
>>>> aclCall = aclService.getPermissionsSoapHandler();
>>>>// This works:PermissionsWS aclService = newPermissionsWS(baseUrl+ site, userName,
password, configuration, httpClient);
>>>> aclCall =
>>>>As the code says, one fails and one works.  The one that succeeds is commented
>>>>I commented out the one that fails and use the one that works.  So now I
can sync everything, however I have not tried to sync any permissions.  Perhaps because the
first one above fails permissions will fail to sync?  Not sure, but the one that fails gives
an error 1000 and 401 unauthorized.  There is no useful logging in the event logs or in IIS
logs to say exactly who or what is unauthorized.
>>>>From: Karl Wright <>To: Mark Lugert <>
Cc: "" <> Sent: Tuesday, February
26, 2013 3:17 PM
>>>>Subject: Re: Sharepoint
>>>>Any news on this?Karl 
>>>>On Sat, Feb 23, 2013 at 5:20 PM, Mark Lugert <> wrote:

>>>>It's there.  I'll have the admin double check the permissions again.  Seems
like something doesn't have execute permissions.
>>>>>From: Karl Wright <> 
>>>>>To: Mark Lugert <> Cc: ""
<> Sent: Saturday, February 23, 2013 5:19 PM
>>>>>Subject: Re: Sharepoint
>>>>>Yes, that's exactly correct.  Check to be sure the Permissions.asmx file
is present, and that the service is enabled.Karl 
>>>>>On Sat, Feb 23, 2013 at 3:37 PM, Mark Lugert <>
>>>>>Hi Karl,
>>>>>>I added some debug to print the actual axis error in the sharepoint
connector.  I'm getting error 1000.  Looking at MCPermissions.cs I see that it is what is
raising this error, in the code below:
>>>>>>            {
>>>>>>                // Only handle requests for "item". 
Send all other requests to the SharePoint web service.
>>>>>>                if (objectType.Equals(itemType))
>>>>>>                {
>>>>>>                    retVal = GetItemPermissions(objectName);
>>>>>>                }
>>>>>>                else
>>>>>>                {
>>>>>>                    ServicePointManager.ServerCertificateValidationCallback
>>>>>>                        new RemoteCertificateValidationCallback(ValidateCertificate);
>>>>>>                    using (SPPermissionsService.Permissions
service = new SPPermissionsService.Permissions())
>>>>>>                    {
>>>>>>                        service.Url = SPContext.Current.Web.Url
+ "/_vti_bin/Permissions.asmx";
>>>>>>                        service.Credentials
= System.Net.CredentialCache.DefaultCredentials;
>>>>>>                        retVal = service.GetPermissionCollection(objectName,
>>>>>>                    }
>>>>>>                }
>>>>>>            }
>>>>>>            catch (SoapException soapEx)
>>>>>>            {
>>>>>>                throw soapEx;
>>>>>>            }
>>>>>>            catch (Exception ex)
>>>>>>            {
>>>>>>                EventLog.WriteEntry("MCPermissions.asmx",
>>>>>>                throw RaiseException(ex.Message, "1000",
>>>>>>            }
>>>>>>Now, the error is still a 401 unauthorized, but since it's inside
MCPermissions.asmx it's clearly not an issue with accessing the webpart remotely.
>>>>>>I assume since someone wrote that 1000 for a reason that this is not
an unknown issue.  Any ideas what my issue may be?  Seems like maybe this is an issue accessing
/_vti_bin/Permissions.asmx from within MCPermissions.asmx?  
>>>>>>From: Karl Wright <>To:;
Mark Lugert <> Sent: Friday, February 22, 2013 3:07 PM
>>>>>>Subject: Re: Sharepoint
>>>>>>Usually the only thing you have to be careful of with the plugin is
to install it when logged in as an administrator.  The plugin gets the privs it needs from
the installation user.If you've done that already, then you also have to open up the IIS widget
in Windows and grant .NET execute privs to the _vti_bin directory.  There's a whole lot of
security configuration for IIS that I am not an expert with either, but the idea is to make
sure all the .asmx assemblies under _vti_bin can be executed by a remote user.(And yes, Windows
security is, in general, a complete pain in the behind.)Hope that helps.Karl 
>>>>>>On Fri, Feb 22, 2013 at 2:51 PM, Mark Lugert <>
>>>>>>Ok thanks, installed.  Seeing these two issues now, wondering if
y'all have seen these.  I'm not a Sharepoint expert, but seems it's security is, um, difficult:
>>>>>>> 1. Alternate access mappings have not been configured. Users
or services are accessing the site http://amazona-2h120gm/ with the URL
This may cause incorrect links to be stored or returned to users. If this is expected, add
the URL as an AAM response URL. For more
information, see:"/>
>>>>>>>Not sure this is actually causing any issues right now, but if
you've seen this let me know.
>>>>>>>The request failed with HTTP status 401: Unauthorized.
>>>>>>>My admin just ran the script for installing mcpermissions.asmx. 
But it seems like there is an extra step to grant users access?
>>>>>>>From: Karl Wright <> 
>>>>>>>To:; Mark Lugert <>
Sent: Friday, February 22, 2013 2:00 PMSubject: Re: Sharepoint
>>>>>>>IIS uses NTLM or Kerberos typically.  You want to configure it
to use NTLM.In 1.1 and 1.1.1 there was a problem with the NTLM implementation inHttpClient,
having to do with machines either not joined to domains orjoined to child domains.  If you
think you may have that problem, youcan download a version of httpclient that works properly
from .  It's version 4.2.4-SNAPSHOT.KarlOn Fri, Feb 22,
2013 at 1:36 PM, Mark Lugert <> wrote:> Ok will try.  This server
has other web apps installed as well.  There is> clearly a conflict or or something going
on with the classpath.>> Another question though.  The Sharepoint connector uses what
to> authenticate?  Seems like it would use NTLM by default as I don't see> anywhere
basic auth being set.>> The docs kind of gloss over that part, but I'm getting>>
Got an unknown remote exception accessing site - axis fault = Client, detail> = The request
 with HTTP status 401: Unauthorized.>> using the exact same credentials I use to login
via the browser.  Checking> security log and stuff, but seems like this should be documented
better.>> thanks,> mark>
View raw message