none
InfoPath 2013 Read SharePoint 2013 File data using Rest API Access Denied Exception

    Question

  • I am designing a set of Forms and they need to query Data from among themselves.

    The whole set up described below works in the Form Filler/Preview

    I'll call them Form A and Form B

    Form A has a repeating table that needs to be displayed in Form B

    The user selects from a DropDown in Form B an Instance of Form A, using the selected I REST connection is executed so the Form A xml is available inside Form B. The connection is set up as follows:

    _api/web/lists/ListName/Items(SelectedId)/File/$value

    I publish the form as site content type, add it to a library, after triggering the REST connection I get an error. ULS gives me a 401 Access denied for NT Authority\IUSR (as it should since I don't have anonymous access enabled [nor has that solved the issue])

    That's my issue. All requests on the REST api are being executed as anonymous and not as a user that should have permission.

    Things I've tried:

    1. The connection uses a UDCX file, the conenction is set to use the form server proxy. The proxy has been enabled for the Form Services, web application and user connection. I've tried it with a configured App ID or an Explicit account

    2. I've tried enabling Anonymous access, but have had no success

    3. I've gotten the Query to work on Post Backs by adding the following to the web.config:

    <location path="_layouts/15/Postback.FormServer.aspx">
        <system.web>

          <identity impersonate="false" userName="bhs\sp_admin_dev" password="M1crosoft" />

        </system.web>

      </location>

    And while it solves the issue for Postback requests and I could add FormServer.aspx to the list I can't use this solution for a production environment, nor can I predict other issues that could be caused by the change.

    I haven't been able to find any references to this error so I wonder if I'm doing something wrong or if there's another way to do this.

    If I've been unclear on anything, let me know and I'll try to clear it up.


    • Edited by Choggo Saturday, August 10, 2013 9:57 PM Making things clearer
    Saturday, August 10, 2013 9:56 PM

Answers

  • Hi Choggo,

    thank you for your information,

    regarding this issue, it seems we may need to debug and trace your network, to check if should the parameter that is used for the REST connection is correct.

    i checked with infopath team members regarding this issue, they suggest that you try with impersonation, so that the user that login is not anonymous, but the user that you already been assign with.

    the last suggestions from our sharepoint team members that we are able to do, as we have limited tools on this forum support, that you need to check the file udcx itself, do the permission to access that file is correct, so for example, if the file is not having the permission to be read/access then the system may result with anonymous account, so that we may have the result that the data that should be passed are able to accessed.

    if should this suggestion not applicable to your environment, our sharepoint team members suggest that you to open an incident ticket, so that we can check and re-confirm more deep for you if should this is an undocumented feature or not.  the action plans is to have a remote session, then we can trace the data passing process, that is already correct, so that the IUSR is not appear when it authenticate.

    http://support.microsoft.com/contactus/?wa=wsignin1.0


    Regards,
    Aries
    Microsoft Online Community Support


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, August 23, 2013 6:31 AM

All replies

  • Hi,
    For this issue, I¡¯m trying to involve someone familiar with this topic to further look at it.
    Thanks,

    Qiao Wei
    TechNet Community Support

    Tuesday, August 13, 2013 3:21 AM
  • Hi Choggo,

    regarding this issue, please have a check on your IIS settings, seems there is a settings that may be rejected.

     401 Access denied for NT Authority\IUSR, is an access denied error code, that caused by user anonymous.

    usually IIS recognize the IUSR, as anonymous.

    you may check this settings:

    1.) Open iis and select the website that is causing the 401

    2.) Open the "Authentication" property under the "IIS" header

    3.) Click the "Windows Authentication" item and click "Providers"

    4.) For me the issue was that Negotiate was above NTLM, moved the NTLM to the top most spot,

    or check the anonymous settings:

    • Go to IIS manager
    • Select your desired website
    • Select the Authentication Rules feature
    • Along the left hand side in the Actions pane select Add Allow Rule
    • Select Anonymous Users and click OK

    perhaps to set impersonate method may help, so IIS will not recognize as IUSR, but assigned user with permission.

    please have a check on this KB: http://support.microsoft.com/kb/306158


    Regards,
    Aries
    Microsoft Online Community Support


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Aries - MSFT Tuesday, August 13, 2013 6:52 AM
    • Proposed as answer by Jin Chen Monday, August 26, 2013 12:57 AM
    Tuesday, August 13, 2013 6:50 AM
  • Hi Aries,

    I understand that enabling anonymous access would solve the issue (and by impersonating, I achieved the same result, which is only acceptable for my development environment)

    The problem is, that I cannot enable anonymous access, since I am accessing a SharePoint site that does not have anonymous access configured (and will not have such access enabled)

    Basically, the issue I am facing is that the REST connection InfoPath uses is not behaving the same way as other InfoPath connections which respect the authentication options inside the UDCX file.

    This seems to be a Bug.

    Wednesday, August 21, 2013 5:56 PM
  • Hi Choggo,

    thank you for your information,

    regarding this issue, it seems we may need to debug and trace your network, to check if should the parameter that is used for the REST connection is correct.

    i checked with infopath team members regarding this issue, they suggest that you try with impersonation, so that the user that login is not anonymous, but the user that you already been assign with.

    the last suggestions from our sharepoint team members that we are able to do, as we have limited tools on this forum support, that you need to check the file udcx itself, do the permission to access that file is correct, so for example, if the file is not having the permission to be read/access then the system may result with anonymous account, so that we may have the result that the data that should be passed are able to accessed.

    if should this suggestion not applicable to your environment, our sharepoint team members suggest that you to open an incident ticket, so that we can check and re-confirm more deep for you if should this is an undocumented feature or not.  the action plans is to have a remote session, then we can trace the data passing process, that is already correct, so that the IUSR is not appear when it authenticate.

    http://support.microsoft.com/contactus/?wa=wsignin1.0


    Regards,
    Aries
    Microsoft Online Community Support


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, August 23, 2013 6:31 AM
  • Hey Aries, I will look into opening a support ticket. Thanks for the help =]

    I have just installed a new development environment, and will see if I can reproduce it there, as well.
    • Edited by Choggo Wednesday, August 28, 2013 5:11 PM New thoughts
    Wednesday, August 28, 2013 5:10 PM
  • Hi Choggo,

    thanks for the reply,

    please let me know if the result is reproducable in your development environment, so we may have paralel job to help you.


    Regards,
    Aries
    Microsoft Online Community Support


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 29, 2013 2:51 AM