4

I have a small C# ASP.Net WebService. I like to call this WebService from a windows Client and do some things on a SharePoint Document Library. (e.g. uploading a file)

But if I upload a file it will be executed with the credentials from the webservice instead of the credentials from the User who invoked the WebService. Result = All files will be displayed as "created by" = System Account...

Is it possible to call this WebService (from browser or Script $.Ajax) with the current Windows User Credentials and to work with these credentials in the WebService?

I know that I can display the user who invoked the WebService for example in this way:

return Username = User.Identity.Name;

But you can not use it to work with these type of credentials?

I already tried several things but I was not able to get the current User.

Code Example1: (SharePoint Client Object Model)

ClientContext context = new ClientContext("http://domain.local");
context.Credentials = System.Net.CredentialCache.DefaultCredentials;

Code Example2: (SharePoint Server Object Model)

SPUserToken userToken = null;
SPSecurity.RunWithElevatedPrivileges(delegate()
{
    using (SPSite site = new SPSite("SiteUrl"))
    {
        using (SPWeb web = site.OpenWeb())
        {
            userToken = web.AllUsers["DOMAIN\\USERNAME"].UserToken;
    }
});

    using (SPSite site = new SPSite("SiteUrl", userToken))
    {
        using (SPWeb web = site.OpenWeb())
        {
            // Perform actions       
        }
    }

Code Example3: (I don´t like that one) I found one possible way but I have to type the password plain in code what I don´t like:

NetworkCredential credentials = new NetworkCredential("username", "pwd", "domain");

ClientContext context = new ClientContext("http://site-url");
context.Credentials = credentials;
...

I think the most important things in the web.config file are also here?:

<authentication mode="Windows"/>
<add name="Access-Control-Allow-Origin" value="http://domain.local"/>
<add name="Access-Control-Allow-Credentials" value="true"/>
<add name="Access-Control-Allow-Headers" value="Content-Type"/>

Any ideas how I can execute the Code with the user context from the current user?

Script Call:

$.ajaxSetup({
    type: "GET",
    url: "webServiceUrl",
    data: { string: "value" },
    dataType: 'json',
    xhrFields: {
       withCredentials: true
    },
    crossDomain: true,

    success: function(data){
   },
   error: function(XMLHttpRequest, textStatus, errorThrown){
   }
});
John Saunders
  • 160,644
  • 26
  • 247
  • 397
Simon
  • 377
  • 2
  • 11
  • 30
  • What you are looking for is something called constrained delegation, it can be done with kerberos, but its non-trivial and requires quite a lot of setup. – undefined Aug 13 '13 at 18:54
  • @LukeMcGregor thanks for your answer. Is this only working within a c# Application that invokes the request or also from browser with for example $.Ajax call? If both ways are supported then it will be interesting for me. – Simon Aug 13 '13 at 19:30

1 Answers1

0

I dont know your requirements and your environment, but couldn't you upload the files directly from the windows client using CSOM?

Here's a link on how to setup constrained delegation: http://msdn.microsoft.com/en-us/library/ff650591.aspx#_Step_7:_Impersonate.

Martin Bäckström
  • 177
  • 9