Uploaded image for project: 'ManifoldCF'
  1. ManifoldCF
  2. CONNECTORS-891

SharePoint 2010 claims-based authorization fails for AD groups

    XMLWordPrintableJSON

Details

    Description

      It looks like, at least in some cases, in SharePoint 2010 it is not SharePoint groups that correspond to AD groups, but rather SharePoint users that correspond to AD groups. For example:

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
         <soap:Body>
            <GetUserCollectionFromGroupResponse xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">
               <GetUserCollectionFromGroupResult>
                  <GetUserCollectionFromGroup>
                     <Users>
                        <User ID="3620" Sid="" Name="Axxx Dxxx" LoginName="i:0#.w|domain\dxxx" Email="..." Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
                        <User ID="1199" Sid="" Name="itstrain" LoginName="i:0#.w|domain\itstrain" Email="..." Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
                        <User ID="2871" Sid="" Name="Law Library helpdesk account" LoginName="i:0#.w|domain\reflaw" Email="..." Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
                        <User ID="5135" Sid="" Name="Library Desk - GP" LoginName="i:0#.w|domain\lib-deskgp" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="False" Flags="0"/>
                        <User ID="5899" Sid="" Name="DOMAIN\$0kjf00-gcsje70g79fm" LoginName="c:0+.w|s-1-5-21-3052554794-3770484871-3874881240-511616" Email="" Notes="" IsSiteAdmin="False" IsDomainGroup="True" Flags="0"/>
                     </Users>
                  </GetUserCollectionFromGroup>
               </GetUserCollectionFromGroupResult>
            </GetUserCollectionFromGroupResponse>
         </soap:Body>
      </soap:Envelope>
      

      We therefore need to look at child users of groups to come up with the right tokens. Furthermore, the SharePoint/AD authority should always generate user tokens, not group tokens.

      Attachments

        Activity

          People

            kwright@metacarta.com Karl Wright
            kwright@metacarta.com Karl Wright
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: