Tuesday, April 29, 2014

Monday, April 7, 2014

How to find a user's effective rights on a file

A client wanted a handler to figure out the current user's effective rights. I could not impersonate the user, so we needed to check the user's rights. Here is the class I am using to do it.

 public static class FileSystemRightsEx
        public static bool HasRights(this FileSystemRights rights, FileSystemRights testRights)
            return (rights & testRights) == testRights;

    public static class FileSystemEffectiveRights
        public static FileSystemRights GetRights(string userName, string path)
            ULSLoggingService.LogUITrace("Trying to get rights for the path.");

            if (string.IsNullOrEmpty(userName))
                throw new ArgumentException("userName");

            if (!Directory.Exists(path) && !File.Exists(path))
                throw new ArgumentException(string.Format("path:  {0}", path));

            return GetEffectiveRights(userName, path);

        /// <summary>
        /// based on the rules retrieved figure out if the user has acces
        /// </summary>
        /// <param name="userName">user name no domain</param>
        /// <param name="path">file share path</param>
        /// <returns></returns>
        private static FileSystemRights GetEffectiveRights(string userName, string path)
            FileSystemAccessRule[] accessRules = GetAccessRulesArray(userName, path);
            FileSystemRights denyRights = 0;
            FileSystemRights allowRights = 0;

            for (int index = 0, total = accessRules.Length; index < total; index++)
                FileSystemAccessRule rule = accessRules[index];

                if (rule.AccessControlType == AccessControlType.Deny)
                    denyRights |= rule.FileSystemRights;
                    allowRights |= rule.FileSystemRights;

            return (allowRights | denyRights) ^ denyRights;

        /// <summary>
        /// Compare the file system access rules with the sids comming from the user
        /// if we might have a deny rule or an allow rule
        /// </summary>
        /// <param name="userName">user name without domain</param>
        /// <param name="path">path to file</param>
        /// <returns></returns>
        private static FileSystemAccessRule[] GetAccessRulesArray(string userName, string path)
            ULSLoggingService.LogUITrace(string.Format("Trying to get access rules array for user '{0}' and path '{1}'.", userName, path));

            // get all access rules for the path - this works for a directory path as well as a file path
            AuthorizationRuleCollection authorizationRules = (new FileInfo(path)).GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));

            foreach (AuthorizationRule rule in authorizationRules)
                ULSLoggingService.LogUITrace(string.Format("FileSystem Rule name: '{0}'",rule.IdentityReference.Translate(typeof(NTAccount)).Value));

            // get the user's sids
            string[] sids = GetSecurityIdentifierArray(userName);

            // get the access rules filtered by the user's sids
            return (from rule in authorizationRules.Cast<FileSystemAccessRule>()
                    where sids.Contains(rule.IdentityReference.Value)
                    select rule).ToArray();

        /// <summary>
        /// Get the group SIDS of the current user
        /// assumption: that users are unique within the domain
        /// </summary>
        /// <param name="userName">user's name without the domain</param>
        /// <returns>array of sids</returns>
        private static string[] GetSecurityIdentifierArray(string userName)
            // connect to the domain
            PrincipalContext pc = new PrincipalContext(ContextType.Domain);

            // search for the domain user
            UserPrincipal user = new UserPrincipal(pc) { SamAccountName = userName };
            PrincipalSearcher searcher = new PrincipalSearcher { QueryFilter = user };
            user = searcher.FindOne() as UserPrincipal;

            if (user == null)
                throw new ApplicationException(string.Format("Invalid User Name:  {0}", userName));

            // use WindowsIdentity to get the user's groups
            WindowsIdentity windowsIdentity = new WindowsIdentity(user.UserPrincipalName);
            string[] sids = new string[windowsIdentity.Groups.Count + 1];

            sids[0] = windowsIdentity.User.Value;

            for (int index = 1, total = windowsIdentity.Groups.Count; index < total; index++)
                sids[index] = windowsIdentity.Groups[index].Value;
                    ULSLoggingService.LogUITrace("User:" + userName + "User Group:" + windowsIdentity.Groups[index].Translate(typeof(NTAccount)).Value);
                catch (Exception ex)
                    ULSLoggingService.LogUIException("proplem with logging", ex);

            return sids;

Wednesday, February 26, 2014

FQL field search with a question mark '?'

I was trying to return a item by a query to the path


I could search for http://sometext/page.aspx or id=123 but the question mark would cause the query not to find the item.

The solution:
replace the ? with a space.  apparently the ? is a noise word and replaced with a space during indexing.  It is an odd issue, since the ? is show on the qr server.

such is life

Monday, February 24, 2014

Adding Controls to the Additional Page Head in Sharepoint 2010

I wanted to add a control that would add some html to site collection administration pages.  These pages are not directly editable.

I looked at adding controls to the additional page head tag within the master page.  The control in the master page looks like

<asp:ContentPlaceHolder id="PlaceHolderAdditionalPageHead" runat="server"/>

To the project add a new module

edit the elements.xml and add in your control

 <Control Id="AdditionalPageHead" ControlSrc="~/_CONTROLTEMPLATES/yourcontrol" Sequence="15100" xmlns="http://schemas.microsoft.com/sharepoint/" />

The sequence number is just a random number.

Now your control will be added to all pages that use the masterpage.  Just place some conditional logic in your control looking for the site collection addition page and there you have it

Wednesday, February 12, 2014

Windows 2008 R2 and fast search for sharepoint SAM worker dead issue

First few days on the job and I was banging my head against the wall.  I was seeing a communication error  between the content ssa and the sam worker.  In the log files I saw the following message

AdminLibrary.dll:MakeRemoteRequestToWorker - Unable to complete request to sam worker node

But the samworker was running when doing a nctrl status.  But when looking further and doing a

get fastsearchsecurityworkernode

the process was dead

It is caused by a loopback check during authentication in windows 2008r2.  It will happen when you are running fast on a standalone machine.

To fix the issue run

setspn -A http/servername.domain.com domain\username

Live and learn