Failure to set credentials

[Philip Colmer]

I've written a web service that returns some user-specific information. I'm
calling that web service from an InfoPath form as managed code:

MsgBox("Calling WhoAmI service", MsgBoxStyle.OKOnly, "OnLoad")
Try
svc.Credentials =
System.Net.CredentialCache.DefaultCredentials()
MsgBox("Set service credentials", MsgBoxStyle.OKOnly,
"OnLoad")
Try
_Initials = svc.GetInitials("")
MsgBox("Got '" & _Initials & "'", MsgBoxStyle.OKOnly,
"OnLoad")
Catch ex As Exception
MsgBox("Failed to get initials: " & ex.ToString,
MsgBoxStyle.OKOnly, "OnLoad")
End Try
Catch ex As Exception
MsgBox("Failed to set credentials: " & ex.ToString,
MsgBoxStyle.OKOnly, "OnLoad")
End Try
svc.Dispose()
MsgBox("Disposed of service object", MsgBoxStyle.OKOnly,
"OnLoad")

If I've got the form on my computer, it works fine - it sets the
credentials, gets my initials back from the web service & disposes of the
object. If, however, I publish the form to a SharePoint forms library and
open the form from there, the call to svc.Credentials fails with:

System.Security.SecurityException: Request for the permission of type
System.Security.Permissions. EnvironmentPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

The web service is configured to use integrated windows authentication.

Can anyone tell me how to resolve this, please?

--Philip

 

[Steven Cheng[MSFT]]

Hi Philip,

Welcome to .NET newsgroup.
As for the INFO PATH form setting credentials for webservice proxy problem,
here are some of my suggestions:

First, I agree with you that this is a security problem and more exactly,
it's a .net's CAS problem. To make problem more clear, I suggest you try
the following things:

1. As you mentioned that the form work well when running from your local
computer. If so, is the local computer the develop machine of that form?
Please try copy the form to some other machine and run it to see whether it
also works as on your local machine.

2. If the infopath form also works on other machine (running from local), I
think it's likely due to the seuciryt restriction for the downloaded
infopath form from SPS FORM library. We'll need to do some further research
on the LOCAL .NET CAS setting for remote component.

If there're anything unclear or other new findings, please feel free to
post here.
Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)





--------------------
| From: "Philip Colmer" <[email protected]>
| Subject: Failure to set credentials
| Date: Wed, 20 Jul 2005 15:25:11 +0100
| Lines: 41
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: host-news.chadwyck.co.uk 195.22.151.243
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6030
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| I've written a web service that returns some user-specific information.
I'm
| calling that web service from an InfoPath form as managed code:
|
| MsgBox("Calling WhoAmI service", MsgBoxStyle.OKOnly, "OnLoad")
| Try
| svc.Credentials =
| System.Net.CredentialCache.DefaultCredentials()
| MsgBox("Set service credentials", MsgBoxStyle.OKOnly,
| "OnLoad")
| Try
| _Initials = svc.GetInitials("")
| MsgBox("Got '" & _Initials & "'", MsgBoxStyle.OKOnly,
| "OnLoad")
| Catch ex As Exception
| MsgBox("Failed to get initials: " & ex.ToString,
| MsgBoxStyle.OKOnly, "OnLoad")
| End Try
| Catch ex As Exception
| MsgBox("Failed to set credentials: " & ex.ToString,
| MsgBoxStyle.OKOnly, "OnLoad")
| End Try
| svc.Dispose()
| MsgBox("Disposed of service object", MsgBoxStyle.OKOnly,
| "OnLoad")
|
| If I've got the form on my computer, it works fine - it sets the
| credentials, gets my initials back from the web service & disposes of the
| object. If, however, I publish the form to a SharePoint forms library and
| open the form from there, the call to svc.Credentials fails with:
|
| System.Security.SecurityException: Request for the permission of type
| System.Security.Permissions. EnvironmentPermission, mscorlib,
| Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.
|
| The web service is configured to use integrated windows authentication.
|
| Can anyone tell me how to resolve this, please?
|
| --Philip
|
|
|

 

[Philip Colmer]

Hi Philip,

Welcome to .NET newsgroup.

Thank you.

2. If the infopath form also works on other machine (running from local),
I
think it's likely due to the seuciryt restriction for the downloaded
infopath form from SPS FORM library. We'll need to do some further
research
on the LOCAL .NET CAS setting for remote component.

It was the non-development machine that I had been testing the form from,
and which is working.

Please tell me what steps you'd like me to take to check the CAS setting.

Thank you.

--Philip

 

[Steven Cheng[MSFT]]

Thanks for your response Philip,

Since the local success behavior is not machine specific, we can start
checking in the .NET CAS setting. Would you please try the following test
first:

For .NET Code Access Security, we can configure it through

Control Panel--->Administrative tools--->.NET Framework Configuration tool
or caspol.exe

#Code Access Security Policy Tool (Caspol.exe)
http://msdn.microsoft.com/library/en-us/cptools/html/cpgrfcodeaccesssecurity
policyutilitycaspolexe.asp?frame=true

We can simply start from caspol.exe. Open the VS.NET's commandline window
and execute the following command which temporarily turn off .NET CAS:

caspol -s off

After that, no .NET CAS checking will perform at runtime. Then, please try
running the INFO PATH form (from sharepiont library) again to see whether
it works. If this can work, we could make sure the problem is caused by the
infopath running from sharepoint library is restricted to a certain
security zone which hasn't permission to adjust Credentials of
httpwebrequest. And we should manually add a custom code group in CAS
group to grant the components from the form library the sufficient
permissions.

Anyway, please let me know what you got and if there're anything unclear,
please feel free to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| From: "Philip Colmer" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: Failure to set credentials
| Date: Thu, 21 Jul 2005 09:40:16 +0100
| Lines: 26
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: host-news.chadwyck.co.uk 195.22.151.243
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6050
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
|
| | > Hi Philip,
| >
| > Welcome to .NET newsgroup.
|
| Thank you.
|
| > 2. If the infopath form also works on other machine (running from
local),
| > I
| > think it's likely due to the seuciryt restriction for the downloaded
| > infopath form from SPS FORM library. We'll need to do some further
| > research
| > on the LOCAL .NET CAS setting for remote component.
|
| It was the non-development machine that I had been testing the form from,
| and which is working.
|
| Please tell me what steps you'd like me to take to check the CAS setting.
|
| Thank you.
|
| --Philip
|
|
|

 

[Philip Colmer]

We can simply start from caspol.exe. Open the VS.NET's commandline window

and execute the following command which temporarily turn off .NET CAS:

caspol -s off

Running this command now allows the form to work as expected.

Both the SharePoint form library and the web service are in the trusted
sites zone. In addition, the form has been code-signed.

I'd appreciate your suggestions as to what I need to do to get the form
working.

Regards

Philip

 

[Steven Cheng[MSFT]]

Hi Philip,

Well, now we can confirm this to the .net CAS problem. Currently what we
should do is to add a certain codegroup in the .NET's CAS cofiguration for
the managed components(assemblies) loaded from your sharepoint form
library.

Based on my understanding, we ought to add a custom codegroup(for the form
components loaded from form library) under the LOCAL Intranet zone. You can
verify this by using the "Adjust Zone Security" fucntion when selecting the
"Runtime Security Policy" node in the left view. (Adjust the trust level to
FullControl for Local Intranet zone).

If the above test can make the info path form (from form library) work,
then rollback the above change and try adding a new custom codegroup under
the All_Code-->LocalIntranet_Zone group. When creating the codegroup,
choose "URL" as the condition type and type your sharepoint FormLibrary
site's url, something like:

"http://sharepointserver/*"

and grant this codegroup FullTrust permissions.

After that, please close IE and relaunch it and test the infopath from from
formlibrary to see whether it works.

#Configuring Code Groups Using the .NET Framework Configuration Tool
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconusingnetconfigurat
iontooltoworkwithcodegroups.asp?frame=true


In addition, all the configuration I mentioned above (through the .NET
configuration tool GUI) can also be done trough the caspol.exe command line
tool:

#caspol.exe Adding Code Groups
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaddingcodegrouptoc
odegrouphierarchy.asp?frame=true

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




--------------------
| From: "Philip Colmer" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
| Subject: Re: Failure to set credentials
| Date: Fri, 22 Jul 2005 13:33:05 +0100
| Lines: 18
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#4P#[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: host-news.chadwyck.co.uk 195.22.151.243
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6077
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| > We can simply start from caspol.exe. Open the VS.NET's commandline
window
| > and execute the following command which temporarily turn off .NET CAS:
| >
| > caspol -s off
|
| Running this command now allows the form to work as expected.
|
| Both the SharePoint form library and the web service are in the trusted
| sites zone. In addition, the form has been code-signed.
|
| I'd appreciate your suggestions as to what I need to do to get the form
| working.
|
| Regards
|
| Philip
|
|
|

 

[Philip Colmer]

Hi Philip,

Well, now we can confirm this to the .net CAS problem. Currently what we
should do is to add a certain codegroup in the .NET's CAS cofiguration for
the managed components(assemblies) loaded from your sharepoint form
library.

Based on my understanding, we ought to add a custom codegroup(for the form
components loaded from form library) under the LOCAL Intranet zone. You
can
verify this by using the "Adjust Zone Security" fucntion when selecting
the
"Runtime Security Policy" node in the left view. (Adjust the trust level
to
FullControl for Local Intranet zone).

If the above test can make the info path form (from form library) work,
then rollback the above change and try adding a new custom codegroup under
the All_Code-->LocalIntranet_Zone group. When creating the codegroup,
choose "URL" as the condition type and type your sharepoint FormLibrary
site's url, something like:

"http://sharepointserver/*"

and grant this codegroup FullTrust permissions.

After that, please close IE and relaunch it and test the infopath from
from
formlibrary to see whether it works.

#Configuring Code Groups Using the .NET Framework Configuration Tool
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconusingnetconfigurat
iontooltoworkwithcodegroups.asp?frame=true


In addition, all the configuration I mentioned above (through the .NET
configuration tool GUI) can also be done trough the caspol.exe command
line
tool:

#caspol.exe Adding Code Groups
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaddingcodegrouptoc
odegrouphierarchy.asp?frame=true

Steven

Thank you for that. I've now got this working on my PC. What would be your
recommendation for the best/easiest method of deploying this to all of the
computers? I cannot find a Group Policy setting for CAS - is there one or do
I need to write a logon script that uses caspol?

--Philip

 

[Steven Cheng[MSFT]]

Hi Philip,

Yes, for your scenario, if you need to make such configuration more simple
for deployment, currently the recommend means is to make a script or bat
file which call the caspol.exe tool to create the codegroup on the machine
(instead of interactively in the configuration tool).

#Adding Code Groups
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaddingcodegrouptoc
odegrouphierarchy.asp?frame=true

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| From: "Philip Colmer" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<#4P#[email protected]>
<[email protected]>
| Subject: Re: Failure to set credentials
| Date: Mon, 25 Jul 2005 13:42:11 +0100
| Lines: 57
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: host-news.chadwyck.co.uk 195.22.151.243
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:6096
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
|
| | > Hi Philip,
| >
| > Well, now we can confirm this to the .net CAS problem. Currently what we
| > should do is to add a certain codegroup in the .NET's CAS cofiguration
for
| > the managed components(assemblies) loaded from your sharepoint form
| > library.
| >
| > Based on my understanding, we ought to add a custom codegroup(for the
form
| > components loaded from form library) under the LOCAL Intranet zone. You
| > can
| > verify this by using the "Adjust Zone Security" fucntion when selecting
| > the
| > "Runtime Security Policy" node in the left view. (Adjust the trust
level
| > to
| > FullControl for Local Intranet zone).
| >
| > If the above test can make the info path form (from form library) work,
| > then rollback the above change and try adding a new custom codegroup
under
| > the All_Code-->LocalIntranet_Zone group. When creating the codegroup,
| > choose "URL" as the condition type and type your sharepoint FormLibrary
| > site's url, something like:
| >
| > "http://sharepointserver/*"
| >
| > and grant this codegroup FullTrust permissions.
| >
| > After that, please close IE and relaunch it and test the infopath from
| > from
| > formlibrary to see whether it works.
| >
| > #Configuring Code Groups Using the .NET Framework Configuration Tool
| >
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconusingnetconfigurat
| > iontooltoworkwithcodegroups.asp?frame=true
| >
| >
| > In addition, all the configuration I mentioned above (through the .NET
| > configuration tool GUI) can also be done trough the caspol.exe command
| > line
| > tool:
| >
| > #caspol.exe Adding Code Groups
| >
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaddingcodegrouptoc
| > odegrouphierarchy.asp?frame=true
|
| Steven
|
| Thank you for that. I've now got this working on my PC. What would be
your
| recommendation for the best/easiest method of deploying this to all of
the
| computers? I cannot find a Group Policy setting for CAS - is there one or
do
| I need to write a logon script that uses caspol?
|
| --Philip
|
|
|