Re: Accessing Directory Services from a SharePoint Web Part

From: Jondis (jondis_at_bellatlantic.net)
Date: 10/19/04 

Date: Tue, 19 Oct 2004 09:39:01 -0700

Joe,

Thanks for the suggestions... I will try encapsulating my Active Directory
code into a single DLL that I install into the GAC.

You've raised two additional questions:
1. How do I mark my assembly in the GAC as 'AllowPartiallyTrustedCallers'?
2. Are the changes I've already made to SharePoint's security configuration
below sufficient to allow my Web Part to call my new AD Assembly in the GAC?
What else would I need to do?
3. Lastly, has anyone release a commercial product that manipulates Active
Directory either as a Web Part, ASP.NET Control or other .NET Implementation?

Thanks again for your help,
JD

"Joe Kaplan (MVP - ADSI)" wrote:

> S.DS can only be called from Full Trust. It does not have the
> AllowPartiallyTrustedCallersAttribute set on the assembly.
>
> There are a couple of ways you might go about this. One way is to allow
> Full Trust. However, you might not want to do that for security reasons.
>
> You might create a component that does all of your S.DS logic and put it in
> the GAC. Assemblies in the GAC always have full trust. Make sure it has
> AllowPartiallyTrustedCallers set on it.
>
> Then, you'll need to either make sure upstream callers have the appropriate
> DirectoryServicesPermission OR you can Assert that permission in your code
> so that the stack walk is interrupted. Note that you are creating a
> potential security issue if you assert permissions, so you have to be sure
> you know what you are doing before taking on that responsibility.
>
> Note that you would have this problem with any assembly that doesn't allow
> partially trusted callers.
>
> Joe K.
>
> "Jondis" <jondis@bellatlantic.net> wrote in message
> news:78C3AABD-21F1-4851-931D-B74B10E482C9@microsoft.com...
> >I get a vague 'Security Error' when I try to access Active Directory via
> >the
> > 'System.DirectoryServices' DLL. I am doing this within a SharePoint Web
> > Part. I also stripped the code out of the SharePoint Web Part and put it
> > on
> > a regular ASP.NET Form and it worked fine.
> >
> > The error message is literally "Security Error". The stack trace returns
> > the line number of the sub-routine that calls into the sub-routine that
> > actually touches Active Directory (System.DirectoryServices).... so I
> > guess
> > Microsoft's "Code Access Security" really works!!!
> >
> > I think I need help with my trust file. I started with the WSS_Minimal
> > trust file (that ships with SPS 2003) and I've gradually added permissions
> > into it (such as SQL Permission).
> >
> > I added this to <SecurityClasses>:
> > <SecurityClasses>
> > <SecurityClass Name="DirectoryServicesPermission"
> > Description="System.DirectoryServices.DirectoryServicesPermission,
> > System.DirectoryServices, Version=1.0.5000.0, Culture=neutral,
> > PublicKeyToken=b03f5f7f11d50a3a"/>
> > </SecurityClasses>
> >
> > Then I added the "DirectoryServicesPermission" to the "NamedPermissionSet"
> > of "ASP.NET":
> > <PermissionSet class="NamedPermissionSet" version="1"
> > Name="ASP.Net">
> > <IPermission class="AspNetHostingPermission" version="1"
> > Level="Medium" />
> > <IPermission class="DirectoryServicesPermission" version="1"
> > Unrestricted="true"/>
> > <IPermission class="SecurityPermission" version="1"
> > Flags="Execution" />
> > <IPermission class="SharePointPermission" version="1"
> > ObjectModel="True" />
> > <IPermission class="WebPartPermission" version="1"
> > Connections="True" />
> > </PermissionSet>
> >
> > I haven't modified anything in the <CodeGroup> section... my understanding
> > is that ASP.NET is the first CodeGroup that my Web Part should match -- so
> > it
> > should run under that code group.
> >
> > The changes I've made have at least allowed my Web Part to execute and
> > return the Secuirity Error... previously I would get the "Web Part
> > Maintenance Page" and have to remove my Web Part, change some code and try
> > again (glad I got thru that!).
> >
> > My AD code is very simple right now... I'll post it ... but I'm reasonably
> > certain CAS is not letting me anywhere near it anyway:
> >
> > Public Class PortalUser
> > Private Const m_User As String = "User"
> >
> > Private _SPUser As Microsoft.SharePoint.SPUser
> > Private _ADUser, _ADHelper As
> > System.DirectoryServices.DirectoryEntry
> >
> > Public Property SPUser() As Microsoft.SharePoint.SPUser
> > Get
> > Return _SPUser
> > End Get
> > Set(ByVal Value As Microsoft.SharePoint.SPUser)
> > _SPUser = Value
> > End Set
> > End Property
> > Public Property ADUser() As System.DirectoryServices.DirectoryEntry
> > Get
> > Return _ADUser
> > End Get
> > Set(ByVal Value As System.DirectoryServices.DirectoryEntry)
> > _ADUser = Value
> > End Set
> > End Property
> >
> > Public Sub New()
> >
> > End Sub
> >
> > Public Sub GetADUser()
> > If (_SPUser.LoginName > [String].Empty) Then
> > _ADHelper = New
> > System.DirectoryServices.DirectoryEntry("WinNT://MyDomain",
> > "PowerfulUserName", "PowerfulUserNamePassword")
> > _ADUser = _ADHelper.Children.Find(_SPUser.LoginName,
> > m_User)
> > End If
> > End Sub
> > End Class
> >
> > Please let me know any recommendations for modifiying the Trust file
> > additionally, changing other security files related to SharePoint, etc.
> > If
> > there's something I'm missing in my code, please let me know as well.
> >
> > Thanks,
> > JD
> >
> >
> >
>
>
>

Relevant Pages

  • Re: .NET versioning
    ... >> If this isn't dll hell then it's awfully close. ... > xcopy deployment, which thus means avoid the GAC if possible. ... > 2) if required, and if you really have to, copy the files to the GAC. ... If you overwrite assemblies in the GAC ...
    (microsoft.public.dotnet.framework)
  • Re: GAC hell
    ... The only way to get at the GAC is by calling into the unmanaged fusion API's. ... Beware that the GAC uses fully qualified assembly names to store assembly references, because you don't know whether an assembly resides in the GAC, you also don't have a FQAN, this may result in false positives! ... But we've gotten so far off topic here, we're nowhere near my original question anymore, which had to do with determining which referenced assemblies are in the GAC and which are not. ... So, please if you have a small but complete sample that uses the Microsoft.Vsa namespace to generate/compile/Run "VBScript" and "JScript" scripting code, feel free to post it here. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Please explain why the GAC cannot be referenced
    ... Gac assemblies show up under the reference tab. ... Look through you referenced assemblies for the name of the assembly, ... Gac'd assemblies provide that function for you and the search order for assemblies starts at the gac to reduce performance issues. ... > old assembly from the GAC and install the newer version. ...
    (microsoft.public.dotnet.framework)
  • Re: Biztalk 2004 deployment problem
    ... installed in the GAC before they can be a part of a running BizTalk ... Each computer contains a GAC which must contain the assemblies that are ... BizTalk Server to process messages during run time, you must install all ... you can use the BizTalk Deployment Wizard to deploy ...
    (microsoft.public.biztalk.general)
  • Re: .NET versioning
    ... >> not* do this yourself because it is a return to Win32 DLL Hell. ... >> The GAC recognises only the .NET version, ... > No install processes, you copy the files. ... For assemblies in the GAC use publisher policy or recompile...this does not ...
    (microsoft.public.dotnet.framework)