PSI & Impersonation

[Stephan Steiner]

I've seen a bunch of threads on the issue, and looking at the sample I
understand the following happens:

First we make a call to the Resource PSI service using the regular url
and using the DefaultCredentials and get back the uuid of the resource
to impersonate.

A second request is made to the Resource PSI service using the
impersonation url, using the same DefaultCredentials but specifying
two additional headers that trigger impersonation.

So far so good. I found out that I can only access the impersonation
URL using the credentials under which PSS is running - basically by
visiting the service in Firefox where I'm prompted for credentials.

And that made me think.. if I can specify arbitrary credentials when
using a platform neutral browser, should I be able to send any type of
basic authentication to the PSS url? I noted that the ResourceDerived
class in the sample resets the credentials to the DefaultCredentials
as part of GetWebRequest. So, I figured I'd simply replace those with
my own instance of NetworkCredentials where the username is machinename
\pss-account and password is the password for that account.

However, that still returns the dreaded 401 error - so I figure it
must be something windowsy.. just like IE handles a bit differently
when dealing with IIS than any other browser, .NET is also a bit
differently when it comes to authentication - so does anybody have an
idea how I can trick it into simply providing the appropriate basic
authentication credentials so that it lets me get ahead with my
requests?

Regards
Stephan

 

[Stephen Sanderlin]

Instead of doing this in the override for GetWebRequest, try setting
your custom NetworkCredential to the Credentials property of your
instance of the ResourceDerived class and leaving
_webRequest.Credentials set to CredentialsCache.DefaultCredentials (or
DefaultNetworkCredentials).



Additionally, by default, only the SSP Admin account has access to the
SSP itself. This is why, by default, you can only access it with that
user. To use other accounts, grant the accounts process account rights
to the SSP:

1) In SharePoint Central Admin, go to "Application Management" and
click "Manage this Farm's Shared Services".

2) Hover over the SSP's name

3) Click the drop-down arrow that appears to the right of the SSP's
name

4) Click "Edit Properties"

5) Scroll to the bottom of the "Edit Shared Services Provider" page

6) Enter the user's ID into the "Process Accounts with access to
this SSP" box

7) Click the "OK" button



--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

Stephen

What do you mean by

leaving_webRequest.Credentials?

I actually tried setting the Credentials property of my ResourceDerived class.. but noted that when I check the value of the variable in in the GetWebRequest override, webRequest.Credentials is null (hence I figure the sample contains the line

webRequest.Credentials = CredentialCache.DefaultCredentials

Also, when I access the Admin service via SSPurl from Firefox, I can provide the SSP Admin account credentials and it works (I haven't bothered writing a java app and providing those credentials though)

Am I mistaken assuming I should be able to provide the SSP Admin account credentials for the web request and get things working without reconfiguring Sharepoint?

Regards
Stephan
"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message Instead of doing this in the override for GetWebRequest, try setting your custom NetworkCredential to the Credentials property of your instance of the ResourceDerived class and leaving _webRequest.Credentials set to CredentialsCache.DefaultCredentials (or DefaultNetworkCredentials).



Additionally, by default, only the SSP Admin account has access to the SSP itself. This is why, by default, you can only access it with that user. To use other accounts, grant the accounts process account rights to the SSP:

1) In SharePoint Central Admin, go to "Application Management" and click "Manage this Farm's Shared Services".

2) Hover over the SSP's name

3) Click the drop-down arrow that appears to the right of the SSP's name

4) Click "Edit Properties"

5) Scroll to the bottom of the "Edit Shared Services Provider" page

6) Enter the user's ID into the "Process Accounts with access to this SSP" box

7) Click the "OK" button



--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

In the override for GetWebRequest, I'm saying to leave the
webRequest.Credentials property set to
CredentialsCache.DefaultCredentials instead of setting it to anything
else.



According to the MSDN documentation
(http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials(VS.85).aspx),
CredentialsCache.DefaultCredentials does not allow you to access the
details of the security context it returns. Hence, why you cannot view
this information.



You are not mistaken in your belief. my point is that you should set the
custom NetworkCredential you've created that contains the credentials
for the SSP Admin account to be ResourceDerived.Credentials, not
webRequest.Credentials. Leave webRequest.Credentials as
CredentialsCache.DefaultCredentials. I've created many derived PSI
classes for impersonation, and have always just left
webRequest.Credentials in GetWebRequest as-is. it's never caused an
issue. I simply set the custom NetworkCredential with the SSP Admin's
credentials to be ServiceDerived.Credentials and everything works out
just fine )

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
Stephen



What do you mean by



leaving_webRequest.Credentials?



I actually tried setting the Credentials property of my ResourceDerived
class.. but noted that when I check the value of the variable in in the
GetWebRequest override, webRequest.Credentials is null (hence I figure
the sample contains the line



webRequest.Credentials = CredentialCache.DefaultCredentials



Also, when I access the Admin service via SSPurl from Firefox, I can
provide the SSP Admin account credentials and it works (I haven't
bothered writing a java app and providing those credentials though)



Am I mistaken assuming I should be able to provide the SSP Admin account
credentials for the web request and get things working without
reconfiguring Sharepoint?



Regards

Stephan

"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

Instead of doing this in the override for GetWebRequest, try setting
your custom NetworkCredential to the Credentials property of your
instance of the ResourceDerived class and leaving
_webRequest.Credentials set to CredentialsCache.DefaultCredentials (or
DefaultNetworkCredentials).



Additionally, by default, only the SSP Admin account has access to the
SSP itself. This is why, by default, you can only access it with that
user. To use other accounts, grant the accounts process account rights
to the SSP:

1.In SharePoint Central Admin, go to "Application Management" and click
"Manage this Farm's Shared Services".

2.Hover over the SSP's name

3.Click the drop-down arrow that appears to the right of the SSP's name

4.Click "Edit Properties"

5.Scroll to the bottom of the "Edit Shared Services Provider" page

6.Enter the user's ID into the "Process Accounts with access to this
SSP" box

7.Click the "OK" button



--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

I just realized that I had the password for my VPC saved. hence why it
always "just works" for me. I did this because I was trying to simulate
actually being part of the same domain as the machine.



I've cleared this saved password and I am able to reproduce your issue
when leaving webRequest.Credentials set to
CredentialsCache.DefaultCredentials. The call is successful if I set it
to new NetworkCredential("username", "password", "domain"). The request
fails if I set it to new NetworkCredential("domain\username",
"password").



So, try setting webRequestCredentials to new
NetworkCredential("username", "password", "machinename") instead of new
NetworkCredential("machinename\username", "password").



Sorry about that. it came to me shortly after I wrote my last post.
Please let me know if this resolves your issue!


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
Stephen



What do you mean by



leaving_webRequest.Credentials?



I actually tried setting the Credentials property of my ResourceDerived
class.. but noted that when I check the value of the variable in in the
GetWebRequest override, webRequest.Credentials is null (hence I figure
the sample contains the line



webRequest.Credentials = CredentialCache.DefaultCredentials



Also, when I access the Admin service via SSPurl from Firefox, I can
provide the SSP Admin account credentials and it works (I haven't
bothered writing a java app and providing those credentials though)



Am I mistaken assuming I should be able to provide the SSP Admin account
credentials for the web request and get things working without
reconfiguring Sharepoint?



Regards

Stephan

"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

Instead of doing this in the override for GetWebRequest, try setting
your custom NetworkCredential to the Credentials property of your
instance of the ResourceDerived class and leaving
_webRequest.Credentials set to CredentialsCache.DefaultCredentials (or
DefaultNetworkCredentials).



Additionally, by default, only the SSP Admin account has access to the
SSP itself. This is why, by default, you can only access it with that
user. To use other accounts, grant the accounts process account rights
to the SSP:

1.In SharePoint Central Admin, go to "Application Management" and click
"Manage this Farm's Shared Services".

2.Hover over the SSP's name

3.Click the drop-down arrow that appears to the right of the SSP's name

4.Click "Edit Properties"

5.Scroll to the bottom of the "Edit Shared Services Provider" page

6.Enter the user's ID into the "Process Accounts with access to this
SSP" box

7.Click the "OK" button



--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

Stephen

I'm not quite there but I think we're getting somewhere. I'm using the unchanged ResourceDerviced.cs file from the SDK which contains the following override:

protected override WebRequest GetWebRequest(Uri uri)
{
WebRequest webRequest = base.GetWebRequest(uri);
if (contextString != String.Empty)
{
webRequest.UseDefaultCredentials = true;
bool isImpersonating =
(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);
webRequest.Credentials = CredentialCache.DefaultCredentials;
webRequest.Headers.Add("PjAuth", contextString);
webRequest.Headers.Add("ForwardedFrom", "/_vti_bin/psi/resource.asmx");
webRequest.PreAuthenticate = true;
}
return webRequest;
}

If I use that as is, and set

resProxyBySSP.Credentials = new NetworkCredential("login", "password", "machinename");

in Program.cs, then I get a 401 error.

If I remove
webRequest.UseDefaultCredentials = true;
webRequest.Credentials = CredeitnalsCache.DefaultCredentials;

then I get a 404 error instead.

The uri I'm making the request to is http://chappzh56:56737/SharedServices1/PSI/Resource.asmx and I can make a GET on that uri just fine from a webbrowser.

Looking at things in Wireshark I see that my authentication seems to be accepted now when I send the header, the server responds with 100 Continue, I send the actual request body (which contains the following):

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetCurrentUserUid xmlns="http://schemas.microsoft.com/office/project/server/webservices/Resource/" /></soap:Body></soap:Envelope>

And then the project server responds with 404. If I send the same request to the PWA url, I get the desired result.

I went into the event log and noted that the server is trying to tell me that the PWA site GUID is incorrect... the documentation isn't quite clear on that.

I have a bunch of DBs on that server.. aspnetdb for forms authentication, 4 ProjectServer_* DBs for Project Server, SharePoint_AdminContent__guid, SharePoint_Config, SharedServices1_DB, WSS_Content_PSS (the content DB for the PSS so I figured this is the DB where I have to take the guid from.. ) and WSS_Content_PWA (the pwa content DB).. upon looking at the Webs table in WSS_Content_PWA I actually found a site with FullURL PWA which is the url of PWA, so I tried that SiteId, and now I get a 401 again.If I use the SiteId from the other entry in that DB (sites/ProjectServer.. the sharepoint default part for my Project Server), I get another 404 with again an entry in the event log telling me that the SiteId I'm giving was not found in the ProjectSiteCollection for this SSP.

So I'm a bit stumped here.. if I send the wrong GUID, authentication works but then I cannot proceed. If I send the proper GUID, authentication fails.

So I'm wondering.. you wouldn't happen to have a modified version of the sample that actually works so that I could try it?.

Regards
Stephan

P.S. Another weird effect:



"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message I just realized that I had the password for my VPC saved. hence why it always "just works" for me. I did this because I was trying to simulate actually being part of the same domain as the machine.



I've cleared this saved password and I am able to reproduce your issue when leaving webRequest.Credentials set to CredentialsCache.DefaultCredentials. The call is successful if I set it to new NetworkCredential("username", "password", "domain"). The request fails if I set it to new NetworkCredential("domain\username", "password").



So, try setting webRequestCredentials to new NetworkCredential("username", "password", "machinename") instead of new NetworkCredential("machinename\username", "password").



Sorry about that. it came to me shortly after I wrote my last post. Please let me know if this resolves your issue!


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

If you tried to post a screenshot, unfortunately it won't come through
in the NG. You can email it to me if you'd like.



I modified this code to work from my laptop (which is a member of a
domain) to my Dev VPC (which is a member of its own workgroup). if the
VPC and I were in the same domain and I had proper permissions, it would
work as defined in the SDK. Also, if I were running the impersonation
code from the Project Server WFE/App Server as the SSP Admin or another
account with proper permissions, it would work as defined in the SDK.



Here's the sample code that works for me:

protected override System.Net.WebRequest GetWebRequest(Uri uri)

{

WebRequest _webRequest = base.GetWebRequest(uri);

if (_contextString != String.Empty)

{

_webRequest.UseDefaultCredentials = false;



bool isImpersonating =


(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);

_webRequest.Credentials = new NetworkCredential("admin",
"password", "epmdev");



_webRequest.Headers.Add("PjAuth", _contextString);

_webRequest.Headers.Add("ForwardedFrom",
"/_vti_bin/psi/Resource.asmx");



_webRequest.PreAuthenticate = true;

}

return _webRequest;

}



Just as a side note. instead of embedding the credentials in this
property, I would set create a NetworkCredential static field in the
ResourceDerived class and add two methods to get and set it. then, I
would change the code to this:



protected override System.Net.WebRequest GetWebRequest(Uri uri)

{

WebRequest _webRequest = base.GetWebRequest(uri);

if (_contextString != String.Empty)

{

bool isImpersonating =


(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);



if (_credentials != null)

{

_webRequest.UseDefaultCredentials = false;

_webRequest.Credentials = _credentials;

}

else

{

_webRequest.UseDefaultCredentials = true;

_webRequest.Credentials =
CredentialCache.DefaultCredentials;

}



_webRequest.Headers.Add("PjAuth", _contextString);

_webRequest.Headers.Add("ForwardedFrom",
"/_vti_bin/psi/Resource.asmx");



_webRequest.PreAuthenticate = true;

}

return _webRequest;

}



Hope it works for you too!


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
Stephen



I'm not quite there but I think we're getting somewhere. I'm using the
unchanged ResourceDerviced.cs file from the SDK which contains the
following override:



protected override WebRequest GetWebRequest(Uri uri)
{
WebRequest webRequest = base.GetWebRequest(uri);
if (contextString != String.Empty)
{
webRequest.UseDefaultCredentials = true;

bool isImpersonating =

(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);
webRequest.Credentials =
CredentialCache.DefaultCredentials;

webRequest.Headers.Add("PjAuth", contextString);
webRequest.Headers.Add("ForwardedFrom",
"/_vti_bin/psi/resource.asmx");

webRequest.PreAuthenticate = true;
}
return webRequest;
}



If I use that as is, and set



resProxyBySSP.Credentials = new NetworkCredential("login", "password",
"machinename");



in Program.cs, then I get a 401 error.



If I remove

webRequest.UseDefaultCredentials = true;

webRequest.Credentials = CredeitnalsCache.DefaultCredentials;



then I get a 404 error instead.



The uri I'm making the request to is
http://chappzh56:56737/SharedServices1/PSI/Resource.asmx and I can make
a GET on that uri just fine from a webbrowser.



Looking at things in Wireshark I see that my authentication seems to be
accepted now when I send the header, the server responds with 100
Continue, I send the actual request body (which contains the following):



<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetCurrentUserUid
<http://www.w3.org/2001/XMLSchema>
xmlns="http://schemas.microsoft.com/office/project/server/webservices/Resource/"
/></soap:Body></soap:Envelope>



And then the project server responds with 404. If I send the same
request to the PWA url, I get the desired result.



I went into the event log and noted that the server is trying to tell me
that the PWA site GUID is incorrect... the documentation isn't quite
clear on that.



I have a bunch of DBs on that server.. aspnetdb for forms
authentication, 4 ProjectServer_* DBs for Project Server,
SharePoint_AdminContent__guid, SharePoint_Config, SharedServices1_DB,
WSS_Content_PSS (the content DB for the PSS so I figured this is the DB
where I have to take the guid from.. ) and WSS_Content_PWA (the pwa
content DB).. upon looking at the Webs table in WSS_Content_PWA I
actually found a site with FullURL PWA which is the url of PWA, so I
tried that SiteId, and now I get a 401 again.If I use the SiteId from
the other entry in that DB (sites/ProjectServer.. the sharepoint default
part for my Project Server), I get another 404 with again an entry in
the event log telling me that the SiteId I'm giving was not found in the
ProjectSiteCollection for this SSP.



So I'm a bit stumped here.. if I send the wrong GUID, authentication
works but then I cannot proceed. If I send the proper GUID,
authentication fails.



So I'm wondering.. you wouldn't happen to have a modified version of the
sample that actually works so that I could try it?.



Regards

Stephan



P.S. Another weird effect:







"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

I just realized that I had the password for my VPC saved hence why it
always just works for me. I did this because I was trying to simulate
actually being part of the same domain as the machine.



Ive cleared this saved password and I am able to reproduce your issue
when leaving webRequest.Credentials set to
CredentialsCache.DefaultCredentials. The call is successful if I set it
to new NetworkCredential(username, password, domain). The request
fails if I set it to new NetworkCredential(domain\username,
password).



So, try setting webRequestCredentials to new
NetworkCredential(username, password, machinename) instead of new
NetworkCredential(machinename\username, password).



Sorry about that it came to me shortly after I wrote my last post.
Please let me know if this resolves your issue!


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

Stephen

I'm using the same code now but I'm afraid I'm still not getting there.. still getting a 401 error.

The weird thing is that if I check the security section in the event viewer, I see a successful authentication for the user that has access to PSS.. so I know my credentials are correct.

Is there case sensitivty somewhere all of a sudden? I thought I tried all possible variations though.

The only difference I see is our setup.. while I use a VM as well, the VM is part of the same domain as my PC.. but the user with access to PSS is a local account on the Project Server 2007. Since I might not be the only one who ends up debugging code and since the application in the end will run as a service I'd like to have an impersonation solution that doesn't depend on PSS configuration.. we'd just all use the same user credentials and impersonate as whomever we need to.

But basically with all these experiments we know that the windows authentication part is okay.. and then there's a site id lookup which also works.. and then there's something more which triggers the 401 response.

Any idea what that could be? Are there any other logs that I could look at except for the event log (I see no application errors when I get the 401 by the way. .just a successful authentication in the authentication section.. and nothing in Microsoft Office Diagnostics nor Microsoft Office Sessions.

Regards
Stephan

P.S. here's my current override code:

protected override WebRequest GetWebRequest(Uri uri)
{
WebRequest webRequest = base.GetWebRequest(uri);
if (contextString != String.Empty)
{
bool isImpersonating = (System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);
if (creds == null)
{
webRequest.Credentials = CredentialCache.DefaultCredentials;
webRequest.UseDefaultCredentials = true;
}
else
{
webRequest.UseDefaultCredentials = false;
webRequest.Credentials = creds;
}
webRequest.Headers.Add("PjAuth", contextString);
webRequest.Headers.Add("ForwardedFrom", "/_vti_bin/psi/Resource.asmx");

webRequest.PreAuthenticate = true;
}
return webRequest;
}
"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message If you tried to post a screenshot, unfortunately it won't come through in the NG. You can email it to me if you'd like.



I modified this code to work from my laptop (which is a member of a domain) to my Dev VPC (which is a member of its own workgroup). if the VPC and I were in the same domain and I had proper permissions, it would work as defined in the SDK. Also, if I were running the impersonation code from the Project Server WFE/App Server as the SSP Admin or another account with proper permissions, it would work as defined in the SDK.



Here's the sample code that works for me:

protected override System.Net.WebRequest GetWebRequest(Uri uri)

{

WebRequest _webRequest = base.GetWebRequest(uri);

if (_contextString != String.Empty)

{

_webRequest.UseDefaultCredentials = false;



bool isImpersonating =

(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);

_webRequest.Credentials = new NetworkCredential("admin", "password", "epmdev");



_webRequest.Headers.Add("PjAuth", _contextString);

_webRequest.Headers.Add("ForwardedFrom", "/_vti_bin/psi/Resource.asmx");



_webRequest.PreAuthenticate = true;

}

return _webRequest;

}



Just as a side note. instead of embedding the credentials in this property, I would set create a NetworkCredential static field in the ResourceDerived class and add two methods to get and set it. then, I would change the code to this:



protected override System.Net.WebRequest GetWebRequest(Uri uri)

{

WebRequest _webRequest = base.GetWebRequest(uri);

if (_contextString != String.Empty)

{

bool isImpersonating =

(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);



if (_credentials != null)

{

_webRequest.UseDefaultCredentials = false;

_webRequest.Credentials = _credentials;

}

else

{

_webRequest.UseDefaultCredentials = true;

_webRequest.Credentials = CredentialCache.DefaultCredentials;

}



_webRequest.Headers.Add("PjAuth", _contextString);

_webRequest.Headers.Add("ForwardedFrom", "/_vti_bin/psi/Resource.asmx");



_webRequest.PreAuthenticate = true;

}

return _webRequest;

}



Hope it works for you too!


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

Shouldn't be case sensitivity. the only thing I can think at this point
is permissions. Are you sure that you gave the user in question access
to the SSP as a process account and that it has full admin rights to the
Project Server?



Have you tried turning up Diagnostic Logging to see if that yields
anything helpful in the ULS or App logs?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
Stephen



I'm using the same code now but I'm afraid I'm still not getting there..
still getting a 401 error.



The weird thing is that if I check the security section in the event
viewer, I see a successful authentication for the user that has access
to PSS.. so I know my credentials are correct.



Is there case sensitivty somewhere all of a sudden? I thought I tried
all possible variations though.



The only difference I see is our setup.. while I use a VM as well, the
VM is part of the same domain as my PC.. but the user with access to PSS
is a local account on the Project Server 2007. Since I might not be the
only one who ends up debugging code and since the application in the end
will run as a service I'd like to have an impersonation solution that
doesn't depend on PSS configuration.. we'd just all use the same user
credentials and impersonate as whomever we need to.



But basically with all these experiments we know that the windows
authentication part is okay.. and then there's a site id lookup which
also works.. and then there's something more which triggers the 401
response.



Any idea what that could be? Are there any other logs that I could look
at except for the event log (I see no application errors when I get the
401 by the way. .just a successful authentication in the authentication
section.. and nothing in Microsoft Office Diagnostics nor Microsoft
Office Sessions.



Regards

Stephan



P.S. here's my current override code:



protected override WebRequest GetWebRequest(Uri uri)
{
WebRequest webRequest = base.GetWebRequest(uri);
if (contextString != String.Empty)
{
bool isImpersonating =
(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);
if (creds == null)
{
webRequest.Credentials =
CredentialCache.DefaultCredentials;
webRequest.UseDefaultCredentials = true;
}
else
{
webRequest.UseDefaultCredentials = false;
webRequest.Credentials = creds;
}
webRequest.Headers.Add("PjAuth", contextString);
webRequest.Headers.Add("ForwardedFrom",
"/_vti_bin/psi/Resource.asmx");



webRequest.PreAuthenticate = true;
}
return webRequest;
}

"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

If you tried to post a screenshot, unfortunately it wont come through
in the NG. You can email it to me if youd like.



I modified this code to work from my laptop (which is a member of a
domain) to my Dev VPC (which is a member of its own workgroup) if the
VPC and I were in the same domain and I had proper permissions, it would
work as defined in the SDK. Also, if I were running the impersonation
code from the Project Server WFE/App Server as the SSP Admin or another
account with proper permissions, it would work as defined in the SDK.



Heres the sample code that works for me:

protected override System.Net.WebRequest GetWebRequest(Uri uri)

{

WebRequest _webRequest = base.GetWebRequest(uri);

if (_contextString != String.Empty)

{

_webRequest.UseDefaultCredentials = false;



bool isImpersonating =


(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);

_webRequest.Credentials = new
NetworkCredential("admin", "password", "epmdev");



_webRequest.Headers.Add("PjAuth", _contextString);

_webRequest.Headers.Add("ForwardedFrom",
"/_vti_bin/psi/Resource.asmx");



_webRequest.PreAuthenticate = true;

}

return _webRequest;

}



Just as a side note instead of embedding the credentials in this
property, I would set create a NetworkCredential static field in the
ResourceDerived class and add two methods to get and set it then, I
would change the code to this:

protected override System.Net.WebRequest GetWebRequest(Uri uri)

{

WebRequest _webRequest = base.GetWebRequest(uri);

if (_contextString != String.Empty)

{

bool isImpersonating =


(System.Security.Principal.WindowsIdentity.GetCurrent(true) != null);



if (_credentials != null)

{

_webRequest.UseDefaultCredentials = false;

_webRequest.Credentials = _credentials;

}

else

{

_webRequest.UseDefaultCredentials = true;

_webRequest.Credentials =
CredentialCache.DefaultCredentials;

}



_webRequest.Headers.Add("PjAuth", _contextString);

_webRequest.Headers.Add("ForwardedFrom",
"/_vti_bin/psi/Resource.asmx");



_webRequest.PreAuthenticate = true;

}

return _webRequest;

}



Hope it works for you too!


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

Stephen

The credentials I'm sending are for the local administrator on my PS2007 box.. and PSS runs using those credentials.

I'll turn on diagnostic logging now.

Regards
Stephan
"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message Shouldn't be case sensitivity. the only thing I can think at this point is permissions. Are you sure that you gave the user in question access to the SSP as a process account and that it has full admin rights to the Project Server?



Have you tried turning up Diagnostic Logging to see if that yields anything helpful in the ULS or App logs?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

Stephen

Do you have any ideas which categories we're looking at in this scenario? There are more than I care to reconfigure.

Could it be Office Server Shared Services? Or Project Server security?

Regards
Stephan
"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message Shouldn't be case sensitivity. the only thing I can think at this point is permissions. Are you sure that you gave the user in question access to the SSP as a process account and that it has full admin rights to the Project Server?



Have you tried turning up Diagnostic Logging to see if that yields anything helpful in the ULS or App logs?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

Personally, I would go through the list and just make sure they are all
the same. Note the differences between default (if any), and then change
the All category to the maximum.

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
Stephen



Do you have any ideas which categories we're looking at in this
scenario? There are more than I care to reconfigure.



Could it be Office Server Shared Services? Or Project Server security?



Regards

Stephan

"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

Shouldnt be case sensitivity the only thing I can think at this point
is permissions. Are you sure that you gave the user in question access
to the SSP as a process account and that it has full admin rights to the
Project Server?



Have you tried turning up Diagnostic Logging to see if that yields
anything helpful in the ULS or App logs?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

Stephen

I finally gave in and added additional accounts to the SSP as per your instructions. At first I almost smashed my box when it still wouldn't work. then I added my domain account and tried again with my domain credentials and this time it worked out. Then, upon trying again with the local admin credentials I still got a response - so now I can work with a non personalized account which is exactly what I was looking for.

One funny thing though.. I noted that the SSP Account was actually another local account, not the admin account - but if I use those credentials, I still get a 401.

Regards
Stephan
"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message Instead of doing this in the override for GetWebRequest, try setting your custom NetworkCredential to the Credentials property of your instance of the ResourceDerived class and leaving _webRequest.Credentials set to CredentialsCache.DefaultCredentials (or DefaultNetworkCredentials).



Additionally, by default, only the SSP Admin account has access to the SSP itself. This is why, by default, you can only access it with that user. To use other accounts, grant the accounts process account rights to the SSP:

1) In SharePoint Central Admin, go to "Application Management" and click "Manage this Farm's Shared Services".

2) Hover over the SSP's name

3) Click the drop-down arrow that appears to the right of the SSP's name

4) Click "Edit Properties"

5) Scroll to the bottom of the "Edit Shared Services Provider" page

6) Enter the user's ID into the "Process Accounts with access to this SSP" box

7) Click the "OK" button



--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

I'm glad to hear you got it working.



Since they're different accounts, does the local SSP account have Admin
access to Project Server?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
Stephen



I finally gave in and added additional accounts to the SSP as per your
instructions. At first I almost smashed my box when it still wouldn't
work. then I added my domain account and tried again with my domain
credentials and this time it worked out. Then, upon trying again with
the local admin credentials I still got a response - so now I can work
with a non personalized account which is exactly what I was looking for.



One funny thing though.. I noted that the SSP Account was actually
another local account, not the admin account - but if I use those
credentials, I still get a 401.



Regards

Stephan

"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

Instead of doing this in the override for GetWebRequest, try setting
your custom NetworkCredential to the Credentials property of your
instance of the ResourceDerived class and leaving
_webRequest.Credentials set to CredentialsCache.DefaultCredentials (or
DefaultNetworkCredentials).



Additionally, by default, only the SSP Admin account has access to the
SSP itself. This is why, by default, you can only access it with that
user. To use other accounts, grant the accounts process account rights
to the SSP:

1.In SharePoint Central Admin, go to "Application Management" and click
"Manage this Farm's Shared Services".

2.Hover over the SSP's name

3.Click the drop-down arrow that appears to the right of the SSP's name

4.Click "Edit Properties"

5.Scroll to the bottom of the "Edit Shared Services Provider" page

6.Enter the user's ID into the "Process Accounts with access to this
SSP" box

7.Click the "OK" button



--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephan Steiner]

The SSP Account has no rights to access Project Server.. nor to log in interactively. I guess that explains everything - I was under the impression that the SSP would run under the same account that the project server runs on (that account has pwa access of course) and so I tried to log in using those credentials.

I'm new to Sharepoint so I didn't realize my mistaken. Thanks for being so patient and still pointing me into the right direction.. I should just've tried all your suggestions from the getgo.

Regards
Stephan
"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts DOT-NS com> wrote in message I'm glad to hear you got it working.



Since they're different accounts, does the local SSP account have Admin access to Project Server?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com

 

[Stephen Sanderlin]

No problem. I am happy to help. One note for the future: in a domain
environment, Microsoft recommends that the SSP account be a domain
account.



Don't apologize for being a newbie - we were all there once. Nobody
knows everything, and anyone that claims to is a fool. Don't second
guess yourself, either - it's good that you tried to resolve the problem
on your own and didn't just do what I said. Trial-and-error is the only
way to learn this stuff, and even though it turned out that we could
have resolved your issue earlier, trying to work through it on your own
gave you valuable experience.



Now, let's try to get your other problems solved )


--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com





<
The SSP Account has no rights to access Project Server.. nor to log in
interactively. I guess that explains everything - I was under the
impression that the SSP would run under the same account that the
project server runs on (that account has pwa access of course) and so I
tried to log in using those credentials.



I'm new to Sharepoint so I didn't realize my mistaken. Thanks for being
so patient and still pointing me into the right direction.. I should
just've tried all your suggestions from the getgo.



Regards

Stephan

"Stephen Sanderlin" <stephen NS-DOT sanderlin A-NS-T msprojectexperts
DOT-NS com> wrote in message

Im glad to hear you got it working.



Since theyre different accounts, does the local SSP account have Admin
access to Project Server?

--

Stephen Sanderlin

Principal Consultant

MSProjectExperts



For Project Server Consulting: http://www.msprojectexperts.com

For Project Server Training: http://www.projectservertraining.com



Read my blog at: http://www.projectserverhelp.com/

Join the community at: http://forums.epmfaq.com