none
Token Authentication RRS feed

  • Question

  • Hello all... i was wondering if theres any way to log on PSI using a user token... the thing is that i will impersonate a user and i want to use the users credentials and of course privileges to run the PSI... any ideas????
    Monday, February 22, 2010 2:20 PM

Answers

  • In general, you should limit granting impersonation permissions to a very small number of administrative user accounts, because impersonation bypasses the Project Server security model. You can't pass user tokens around willy-nilly.

    With the implementation of claims authentication in SharePoint 2010, you must grant permission for impersonation in two places. Here is the information added in the next release of the SDK (the Impersonation sample implementation has changed from the Beta to the RC version of Project Server).

    To set permissions in the Project Server Service application

    1. Open the SharePoint 2010 Central Administration page, and then click Manage Service Applications.
    2. Select the row for the Project Server Service application (Figure 1). Instead of clicking the name, select the row to highlight it.
    3. Click Permissions on the Service Applications tab.
    4. In the Connection Permissions for Project Server Service Application dialog box, add the user or group that needs permission to run impersonation applications. After you click Add, and the user name shows in the list of claims, ensure that you select the added user in the list and then check Full Control. Otherwise, the user is not added when you click OK. Full Control is the only option.
    5. To ensure that the user or group is added, reopen the Connection Permissions for Project Server Service Application dialog box.

    To set permissions in the Project Web App site

    1. In the Site Actions menu of Project Web App, click Site Permissions.
    2. On the Edit tab of if the Permission Tools ribbon, click Grant Permissions.
    3. In the Grant Permissions dialog box (Figure 3), add a user or group in the Users/Groups textbox. Grant the user or group permission such as Restricted Read, or a higher permission. You can use a SharePoint group, or grant one or more permissions directly.

    Tuesday, February 23, 2010 12:46 AM
  • I don't think that's possible. If it were, it would be a huge hole in security.
    Thursday, February 25, 2010 3:05 PM

All replies

  • In general, you should limit granting impersonation permissions to a very small number of administrative user accounts, because impersonation bypasses the Project Server security model. You can't pass user tokens around willy-nilly.

    With the implementation of claims authentication in SharePoint 2010, you must grant permission for impersonation in two places. Here is the information added in the next release of the SDK (the Impersonation sample implementation has changed from the Beta to the RC version of Project Server).

    To set permissions in the Project Server Service application

    1. Open the SharePoint 2010 Central Administration page, and then click Manage Service Applications.
    2. Select the row for the Project Server Service application (Figure 1). Instead of clicking the name, select the row to highlight it.
    3. Click Permissions on the Service Applications tab.
    4. In the Connection Permissions for Project Server Service Application dialog box, add the user or group that needs permission to run impersonation applications. After you click Add, and the user name shows in the list of claims, ensure that you select the added user in the list and then check Full Control. Otherwise, the user is not added when you click OK. Full Control is the only option.
    5. To ensure that the user or group is added, reopen the Connection Permissions for Project Server Service Application dialog box.

    To set permissions in the Project Web App site

    1. In the Site Actions menu of Project Web App, click Site Permissions.
    2. On the Edit tab of if the Permission Tools ribbon, click Grant Permissions.
    3. In the Grant Permissions dialog box (Figure 3), add a user or group in the Users/Groups textbox. Grant the user or group permission such as Restricted Read, or a higher permission. You can use a SharePoint group, or grant one or more permissions directly.

    Tuesday, February 23, 2010 12:46 AM
  • Hi Jim tks for the feed back... i think that if i describe u my scenario u might be able to help me more.... cause... honestly... im almost giving up...
    On IIS every web app run on a Pool... and the associated to the pool theres a user... to execute 1 specific action i need to retrive that user (the pool user) credentials/token or get hes privileges to do so... and i was thinking... if i get that user token i can impersonate him... (i could so far impersonate any third user, but i have to provide the acc/pass, but my method is ready to use the IntPtr Tokens)... once impersonated i could log on PSI by WinLogon (also successfull) and then execute the action...
    all that because the client dont want any kind of user/password on webConfig or hard coded or any other kind of configuration file regardless of how encrypted that info is...
    Tuesday, February 23, 2010 1:20 PM
  • I don't think that's possible. If it were, it would be a huge hole in security.
    Thursday, February 25, 2010 3:05 PM