Re: Accessing Directory Services from a SharePoint Web Part

From: Jondis (jondis_at_bellatlantic.net)
Date: 10/22/04 

Date: Fri, 22 Oct 2004 07:11:01 -0700

Joe,

Thanks again for all of your help.... I'm a little further along now:

1. I've encapsulated my DirectoryServices call into its own assembly and
added the assembly directive: [assembly:
AllowPartiallyTrustedCallersAttribute()]. This is necessary for SharePoint
(which is only Partially Trusted) to call.
2. I installed the assembly in the GAC.
3. My Web Part references this new DirectoryServicesHelper class.... but
I'm not
thru my authorization problems.
4. Now I get the equally vague "An operations error occurred".
5. I need to ascertain which UserID is being used to connect to the DLL.
This is what I know now:

The web.config in SharePoint has:
   <authentication mode="Windows" />
   <identity impersonate="true" />

So is it the UserID that IIS runs under (ISR_MACHINENAME)?
Is it the ID in the SharePoint apppool (my SPSADMINID)?
I want it to be the credentials I pass to my Directory Services Helper
(which requires username, password and
domain).
Do I need to turn impersonation off to do that? Will it affect other stuff?

Thanks again for all of your help,
JD
jon@evolvetech.com

"Joe Kaplan (MVP - ADSI)" wrote:

> Inline below:
>
> "Jondis" <jondis@bellatlantic.net> wrote in message
> news:D8D46148-C49A-4ED4-B3A0-00F2B2CC4B47@microsoft.com...
> > Joe,
> >
> > Thanks for the suggestions... I will try encapsulating my Active Directory
> > code into a single DLL that I install into the GAC.
> >
> > You've raised two additional questions:
> > 1. How do I mark my assembly in the GAC as
> > 'AllowPartiallyTrustedCallers'?
>
> in your assemblyinfo file, you add:
>
> <assembly: AllowPartiallyTrustedCallers()>
> or
> [assembly: AllowPartiallyTrustedCallers()]
> in C#
>
>
> > 2. Are the changes I've already made to SharePoint's security
> > configuration
> > below sufficient to allow my Web Part to call my new AD Assembly in the
> > GAC?
> > What else would I need to do?
>
> I think your perm set is correct, but test to be sure! If you do the Assert
> thing that I mentioned, you won't need the DirectoryServicesPermission, but
> it won't hurt. Doing the Assert is probably not a good idea anyway,
> especially if you can grant the required permission to the code.
>
> > 3. Lastly, has anyone release a commercial product that manipulates
> > Active
> > Directory either as a Web Part, ASP.NET Control or other .NET
> > Implementation?
>
> I have no idea on this. A lot of people are still struggling with CAS, so
> even if there was, it might not have its CAS story straight either.
>
> I'm not sure if S.DS will have the APTCA in .NET 2.0 or not. I've discussed
> it with the product team, but it is a potentially big securit risk for MS
> and not something they would consider lightly.
>
> HTH,
>
> Joe K.
>
> >
> > Thanks again for your help,
> > JD
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> S.DS can only be called from Full Trust. It does not have the
> >> AllowPartiallyTrustedCallersAttribute set on the assembly.
> >>
> >> There are a couple of ways you might go about this. One way is to allow
> >> Full Trust. However, you might not want to do that for security reasons.
> >>
> >> You might create a component that does all of your S.DS logic and put it
> >> in
> >> the GAC. Assemblies in the GAC always have full trust. Make sure it has
> >> AllowPartiallyTrustedCallers set on it.
> >>
> >> Then, you'll need to either make sure upstream callers have the
> >> appropriate
> >> DirectoryServicesPermission OR you can Assert that permission in your
> >> code
> >> so that the stack walk is interrupted. Note that you are creating a
> >> potential security issue if you assert permissions, so you have to be
> >> sure
> >> you know what you are doing before taking on that responsibility.
> >>
> >> Note that you would have this problem with any assembly that doesn't
> >> allow
> >> partially trusted callers.
> >>
> >> Joe K.
> >>
> >> "Jondis" <jondis@bellatlantic.net> wrote in message
> >> news:78C3AABD-21F1-4851-931D-B74B10E482C9@microsoft.com...
> >> >I get a vague 'Security Error' when I try to access Active Directory via
> >> >the
> >> > 'System.DirectoryServices' DLL. I am doing this within a SharePoint
> >> > Web
> >> > Part. I also stripped the code out of the SharePoint Web Part and put
> >> > it
> >> > on
> >> > a regular ASP.NET Form and it worked fine.
> >> >
> >> > The error message is literally "Security Error". The stack trace
> >> > returns
> >> > the line number of the sub-routine that calls into the sub-routine that
> >> > actually touches Active Directory (System.DirectoryServices).... so I
> >> > guess
> >> > Microsoft's "Code Access Security" really works!!!
> >> >
> >> > I think I need help with my trust file. I started with the WSS_Minimal
> >> > trust file (that ships with SPS 2003) and I've gradually added
> >> > permissions
> >> > into it (such as SQL Permission).
> >> >
> >> > I added this to <SecurityClasses>:
> >> > <SecurityClasses>
> >> > <SecurityClass Name="DirectoryServicesPermission"
> >> > Description="System.DirectoryServices.DirectoryServicesPermission,
> >> > System.DirectoryServices, Version=1.0.5000.0, Culture=neutral,
> >> > PublicKeyToken=b03f5f7f11d50a3a"/>
> >> > </SecurityClasses>
> >> >
> >> > Then I added the "DirectoryServicesPermission" to the
> >> > "NamedPermissionSet"
> >> > of "ASP.NET":
> >> > <PermissionSet class="NamedPermissionSet" version="1"
> >> > Name="ASP.Net">
> >> > <IPermission class="AspNetHostingPermission" version="1"
> >> > Level="Medium" />
> >> > <IPermission class="DirectoryServicesPermission"
> >> > version="1"
> >> > Unrestricted="true"/>
> >> > <IPermission class="SecurityPermission" version="1"
> >> > Flags="Execution" />
> >> > <IPermission class="SharePointPermission" version="1"
> >> > ObjectModel="True" />
> >> > <IPermission class="WebPartPermission" version="1"
> >> > Connections="True" />
> >> > </PermissionSet>
> >> >
> >> > I haven't modified anything in the <CodeGroup> section... my
> >> > understanding
> >> > is that ASP.NET is the first CodeGroup that my Web Part should match --
> >> > so
> >> > it
> >> > should run under that code group.
> >> >
> >> > The changes I've made have at least allowed my Web Part to execute and
> >> > return the Secuirity Error... previously I would get the "Web Part
> >> > Maintenance Page" and have to remove my Web Part, change some code and
> >> > try
> >> > again (glad I got thru that!).
> >> >
> >> > My AD code is very simple right now... I'll post it ... but I'm
> >> > reasonably
> >> > certain CAS is not letting me anywhere near it anyway:
> >> >
> >> > Public Class PortalUser
> >> > Private Const m_User As String = "User"
> >> >
> >> > Private _SPUser As Microsoft.SharePoint.SPUser
> >> > Private _ADUser, _ADHelper As
> >> > System.DirectoryServices.DirectoryEntry
> >> >
> >> > Public Property SPUser() As Microsoft.SharePoint.SPUser
> >> > Get
> >> > Return _SPUser
> >> > End Get
> >> > Set(ByVal Value As Microsoft.SharePoint.SPUser)
> >> > _SPUser = Value
> >> > End Set
> >> > End Property
> >> > Public Property ADUser() As
> >> > System.DirectoryServices.DirectoryEntry
> >> > Get
> >> > Return _ADUser
> >> > End Get
> >> > Set(ByVal Value As System.DirectoryServices.DirectoryEntry)
> >> > _ADUser = Value
> >> > End Set
> >> > End Property
> >> >
> >> > Public Sub New()
> >> >
> >> > End Sub
> >> >
> >> > Public Sub GetADUser()
> >> > If (_SPUser.LoginName > [String].Empty) Then
> >> > _ADHelper = New
> >> > System.DirectoryServices.DirectoryEntry("WinNT://MyDomain",
> >> > "PowerfulUserName", "PowerfulUserNamePassword")
> >> > _ADUser = _ADHelper.Children.Find(_SPUser.LoginName,
> >> > m_User)
> >> > End If
> >> > End Sub
> >> > End Class
> >> >
> >> > Please let me know any recommendations for modifiying the Trust file
> >> > additionally, changing other security files related to SharePoint, etc.
> >> > If
> >> > there's something I'm missing in my code, please let me know as well.
> >> >
> >> > Thanks,
> >> > JD
> >> >
> >> >
> >> >
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: Accessing Directory Services from a SharePoint Web Part
    ... > code into a single DLL that I install into the GAC. ... in your assemblyinfo file, you add: ... If you do the Assert ... Joe K. ...
    (microsoft.public.dotnet.security)
  • RE: Biztalk orchestration assembly no able to load class library
    ... Check the AssemblyInfo file and look for AssemblyVersion. ... since you added a reference to the dll. ... I have put the assembly in GAC ... >>> library dll is not found in the health and activity tracking tool. ...
    (microsoft.public.biztalk.general)
  • Re: Strong naming
    ... Any assembly that you want to put into the GAC is required to have a "Strong ... Then open up your project's AssemblyInfo file and add this: ... goto the index tab and goto "strong-named assemblies" ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Access und .NET-DLLs
    ... der GAC ist mit dem Framework da. ... Tricky ist uebrigens auch die Versionierung. ... Wenn Du in der AssemblyInfo eine feste ... Versionsnummer eintraegst, ...
    (microsoft.public.de.access)