We currently have a Silverlight application which is hosted in a SharePoint 2010 page. The Silverlight app makes web service calls to a another server on our domain, which has a clientaccesspolicy file in place. We are experiencing cross-domain issues in our production environment.
Users in the farm admin group can use the Silverlight application without any issues. However, all other users recieve the generic cross domain exception when they try to use this app. We have attached Fiddler to the process and noticed that the farm admins are served the clientaccesspolicy file, but that non-admin users are not. In fact, Fiddler does not ever show an attempt to load this file for non-admins.
This only happens in our production environment, which leads me to believe there is a web config or permission setting causing the issue. Unfortunately, I cannot find anything that backs this up.
Has anyone else run into this issue or know if such a setting exists?
See comments above. I had to change the URL to use the full machine name i.e. from webserver/service.svc to webserver.domain.com/service.svc. It solved the problem but doesn't answer the question about why the farm admins could access it. vorrtex's response is the best possible explanation I have seen so far.
Related
My team is in the process of developing an Office 365 add-in, specifically to enable interaction with a hosted web application, and we're encountering a "Permission needed / Bad Request" error that we can't seem to pin down.
Context:
Developing and testing the add-in involves configuring an Azure Active Directory v2 application via the management portal as well as (for development purposes) creating an xml manifest file (which is for v1 apps as opposed to the json format for v2) that can be side-loaded via the O365 interface to provide access to our hosted app (currently only xml manifests can be side-loaded). We're still very much in the process of figuring things out in Office 365, as well as Azure/Active Directory and Microsoft Graph, and the documentation is fairly broad and doesn't always seem to be up to date.
Problem Description:
One of the problems that we're run into occasionally is encountering a "Bad Request" dialog message (in a browser dialog titled 'Permission needed') that is displayed when clicking the toolbar icon for our add-in. The actual URL being requested is similar to https://store.office.com/client/consentnotification.aspx with a number of parameters representing our application and it's required permissions. This results in an HTTP 400 with "Bad Request" being the only response content.
This is happening when the user clicks on our add-in in the O365 application toolbar and is occurring at the point where the user would have to authorize permission for the add-in.
This error seems to be related to the application configuration, but we can't seem to sort out how specifically (ie, some developers are encountering it, and others are not. Sometimes it'll show up if we recreate the Azure Active Directory application using one version of portal or another (there are currently two, with the v2 version being in preview).
Can anyone offer suggestions as to what might be causing this or provide information on why this might be occurring? We're not blocked, but it is rather annoying to deal with in development. I've done a fair bit of research trying to sort out why this is happening and I've gone through a number of tutorials/introductions on configuring Azure apps without success.
This turned out to be related to the Azure Active Directory Application configuration.
For the applications where this was occuring, the AADv2 application manifest was using a "signInAudience" value of "AzureADMyOrg". For cases where it was working as expected (ie, properly populating the permission request dialog) the "signInAudience" was set to "AzureADandPersonalMicrosoftAccount".
After some testing, the solution for our particular problem seemed to be either manually editting the AADv2 application manifest (json) to have "signInAudience": "AzureADandPersonalMicrosoftAccount", or via the Portal by setting the Application's Authentication Supported Account Types setting to be "Accounts in any organizational directory" (this results in a manifest setting of "signInAudience": "AzureADMultipleOrgs" which also seems to work).
I am new to silverlight. I have been trying to patch up a silverlight app that makes a get request to some site over the net, say google. However, I keep getting the system.security exception again nd again. I read various other posts and what i gathered is that for these things to work u need to choose HOST APPLICATION IN A NEW WEBSITE option while creation of the project, i have done that, but still get the same exception. I downloaded the app from http://www.shinedraw.com/data-handling/flash-vs-silverlight-simple-http-post-request/ and ran it by clicking debug in VS2010, still it gave the same exception.
Please tell me what i am doing wrong, i know its cross domain issues, but dont know what else to do.
The second answer at this post - WebClient.DownloadStringAsync throwing Security Exception in Silverlight, I think, offers a workaround, but does this means there is no way to access such services from silverlight directly?? -
Experienced users please explain.
You cannot call a web service other than from your own domain directly from a Silverlight application. If you want to to this, you would have to install a cross-domain policy on the server that hosts the service. But you can always install a web service within your own web application (that hosts the Sivlerlight app) and call the other service from that service. It's one sercie call more but it works also with services you don't own.
I have a Silverlight 4 Beta application where I'd like to use the SharePoint object model to upload a document to a SharePoint site - should be simple enough, except an exception is thrown at:
using (SPSite siteCollection = new SPSite(siteCollectionUrl))
The Web application at
http://intranet.fabrikam.com could not
be found. Verify that you have typed
the URL correctly. If the URL should
be serving existing content, the
system administrator may need to add a
new request URL mapping to the
intended application.
This particular exception is actually really well documented out there, it's obviously masking a real underlying issue. Here are some of the things I've read about and tried without success:
DNS / Host Header:
This exception occurs when the particular URL isn't in the IIS metabase because it's being handled by DNS. My web application has an AAM set up and a host header on the web site in IIS. I also tried running the code without using the FQDN of the site, e.g. http: //servername:4860.
Permissions:
The identity of the the Silverlight application pool has db_owner permissions to my content database, and is also a site collection administrator. I can't have both web sites use the same application pool because the Silverlight application needs to run in a .NET app pool.
x86 vs x64:
My Silverlight application has to be compiled for x86 - I'm using some controls that only work in x86. The installed SharePoint version is x64. I've read about people seeing this exception when trying to use the SharePoint object model to hit a x64 SharePoint installation from a x86 app.
Adding then removing permissions for the account: This begins to border on some voodoo magic, but I read about people magically resolving this issue after removing the permissions they set trying to troubleshoot this problem initially. No luck here.
Would appreciate any suggestions, thank you!
Silverlight runs on the client/browser, not on the server - so the server-side SharePoint object model will not be available to you.
However, there is an object model for SharePoint 2010/Silverlight apps - see this MSDN article for details.
To fix the particular error you mentioned, use "List", instead of "SPList". The Silverlight SharePoint object model is a little different from the basic non-Silverlight SharePoint object model.
I am using a silverlight with wcf and when I use the .web project then it runs but when use the silver light project to run the following exception throws:
An error occurred while trying to make a request to URI 'http://localhost:9000/Services/BLWCFSvrc.svc'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
I want to use the silverlight project to debug my code
Thanks in advance
In order to access network resources from Silverlight, the domain hosting the resource must provide a client access policy file; this is designed this way for security reasons. See here for details: http://msdn.microsoft.com/en-us/library/cc645032%28VS.95%29.aspx
I think your problem is different that just having the clientaccesspolicy.xml, the fact that it runs under the web project, means that you are delivering policies, if you have those added as seperate files under the web project then they wont be deployed when you run the SL3 app seperately, but im sure you figured this out and you're delivering the policies via WCF using webHttp binding (RESTful style), if not, you should.
I think the problem is that when you run the webproject, it builds to your local IIS and executes from there, IIS will allow the SL3 app to communicate with ports/addresses different from the ones that the site is hosted on
when you run SL3 app natively, VS2008 auto generates a test html site for it to be hosted in with some default settings, and uses VS2008 built-in hosting service, which does not allow communication to an address/port different from that of the hosting address. (even though Silverlight is a client side library, VS2008 can do this)
so if you want to run the Silverlight application natively, meaning actually executing the XAP, you can deploy it to IIS, and configure IIS to deliver XAP files, or just install it and run it out of browser and let it update from IIS the deployed version
Just copy a clientaccesspolicy.xml file (for an example take a look at this post; you can even use this sample) into the root of your webserver (eg: c:\inetpub\wwwroot\).
This should help.
I have created an application that can save data both local drive and isolated storage. Then I have tested it by deploying via ClickOnce with FullTrust. This worked correctly, but when I set it to PartialTrust (Internet zone), the application cannot start up.
How to solve this problem?
I have tried to create empty form Windows application and then deploy using PartialTrust, it still errors when I run the application.
ClickOnce applications do not need full trust permissions to write to isolated storage. However, applications do need full trust for regular file I/O. So I'm guessing that your application will have to request full trust to work.
However, I'm not sure why your empty application won't work with partial trust. What error message do you get?
Are you using the SaveFileDialog? From memory, this throws a UIPermission exception for a partial-trust ClickOnce app deployed from the Internet zone. If that's what is happening, you need to change your app deployment to request this specific permission.
UPDATE: If you do a debug build, the exception stack trace will give the line number that caused the security exception.