I am working on Webhook for SharePoint notification using the Get started with SharePoint webhooks. I have registered the application as a Web Application and tried to provide read and write items and lists in all site collections permission. I have checked both delegated and application permissions but i am not able to find these permission.
Delegate permission screenshot
Application permission screenshot
I have followed all the steps except step 1. Can someone tell me how to provide this permission?
Based on the link you provided, you are using Authorization Code flow as the grant type.
So you need to add Delegate permission rather than Application permission.
And what you need to add is AllSites.Manage under SharePoint (NOT Microsoft Graph).
Related
I've built an app in App Maker and deployed it, but the user I thought I had given permission to is getting this notification "Sorry, you don't have access to this application."
In the app, I added a role to the data source and added the user to the role from the deployment. I also added the role to each page's security. I verified that App Maker is turned on for all of our users. I've ensured that the user has access to the Google Sheet data tables (both what I imported into the App for preview and the data I exported from the deployment). I've even added the user as a Cloud Sql Viewer in our Cloud SQL instance (don't know if that was necessary). This is my first app and I feel like I'm flying blind. I'm obviously missing something but can't figure out what. Any help is much appreciated!
Make sure all the required models can be accessed by the role you assigned to the user.
If the user has another Google account in the same Chrome session, the browser may be switching them to this external user when opening the app. Sign-out from that account or try incognito.
Make sure the deployment has no restriction as shown here; or if it does, allow the username.
I'm using webmatrix, razor, c#. I've created a web site for friends, it's on godaddy. I've created web pages to upload or delete images for the gallery, they work ok on webmatrix on my laptop, but get an "access denied" error with godaddy, understandably since I'm an anonymous user.
Godaddy says it is doing windows authentication and the godaddy gui shows me the folders and the user accounts and their permissions.
Can anyone tell me please how to keep the rest of the web site anonymous but to do this with the web pages which amend the gallery:
1. some kind of authentication to get into
2. they also authenticate to godaddy so they have permissions to create/delete files in the relevant folders
I can't see how the WebSecurity class can help. I've read that by default it creates its own database of user accounts, so this could achieve 1, but not 2. I've also read that it can be configured to use windows authentication instead of its own database, but that to do this anonymous access must be disabled.
I'd be grateful for any help, I certainly am stuck. For anyone kind enough to reply, please bear in mind I'm not a web developer, I'm a server admin!
I'm not sure if you're attempting to allow the end users to go to their galleries using GoDaddy AND thru the website. That sounds like a difficult security challenge.
One approach is to only allow the web application to have access to all the files and folders on the server. Then you can forget about Windows authentication. Have the users authenticate using the WebSecurity classes and pages.
_PageStart.cshtml is a file whose code runs everytime a page is opened by a user. In there you can put code which controls who has access including anonymous activity. For example, users are always allowed to go to the account pages in the account folder, because that's where they sign in. So they are still anonymous before signing in. The code is simple:
// You're always allowed to go to the login pages
if ( Request.RawUrl.StartsWith( "/Account") )
{
return;
}
If the code returns from here and doesn't take any other action, the page will open normally.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
Im trying to use the fileupload control. Im using Visual Web Developer Express on my desktop.
My web application is working fine except I cant use the fileUpload control. I get the following error:
ERROR: Access to the path (My_Directory) is denied
I searched and it appears to be a permissions problem. So I attempted to add the user ASPNET and give appropriate permissions to the directory, however, I was unable to add user "ASPNET". User "ASPNET" was not found.
So then I followed the following directions to add user ASPNET via Control Panel > Administration > Computer management. So now I was able to add user ASPNET to the directory and give appropriate permissions but I still got the above error.
http://p2p.wrox.com/net-web-services/5918-creating-aspnet-user.html
Any ideas on why I cant access the directory?
If you're using Vista/Windows 7/Win2003/Win2008, the user you need is the Network Service account. You can verify by seeing what user your application pool is running under.
Grant the proper permissions to that account (if indeed it's the account that your application pool is running under) and you'll be golden. Note also that with Windows 7 and Win2008, the default account could be the ApplicationPoolIdentity, which you can find out more information about at http://forums.iis.net/t/1156692.aspx. Regardless, you can simply switch the account that your application pool is running under to the Network Service account to verify that that is the issue.
Ever figure this out? If you're overwriting files check to make sure they aren't set to read-only.
I've handled these permissions plenty before and had tried everything in the book and on this site and others (I'm on Win7, IIS7.5 also). Sometimes it's the silly little things...