Tag Archives: security

SharePoint Bending: Forefront Forbids Programmatically File Uploads

I had a custom page that needed to be deployed inside a MOSS 2007 site’s document library. The problem was, there were more than 100 sites in the site collection. Manually uploading the file was so time-consuming, so I decided to write a simple console application to upload the file to each site’s document library.

The application simply made use of the Microsoft.SharePoint.SPFileCollection.Add() method to upload the file programmatically to the desired document library. In my development environment, it worked flawlessly. So happily I went to the client and ran the application in the production server. Almost immediately, the application exited without any message. It’s strange because I made it to output the upload status as well as the exception message.

Then I tried to add a more verbose exception handling, by printing out the exception stack as well as the exception type, and I got this following output:

Exception class: Microsoft.SharePoint.SPException
Exception message:
Stack Trace:
at Microsoft.SharePoint.SPFileCollection.Add(String urlOfFile, Byte[] file, Boolean overwrite, String checkInComment, Boolean checkRequiredFields)
at Microsoft.SharePoint.SPFileCollection.Add(String urlOfFile, Byte[] file, Boolean overwrite)

See? No exception message. How the heck would I know what happened then? Well, at least I got the idea that the failure was at the Microsoft.SharePoint.SPFileCollection.Add() method execution. I ran the code under the administrator account, the same account used as the site’s administrator, so it shouldn’t be the account problem. I fired up the browser, tried to upload the file manually to the document library using the same administrator account, and it also worked. So definitely this was not a problem related to the permission.

After messing around with the site’s settings and permissions, rewrote my application’s code many times, as well as googled for solutions, I finally found out the real problem. It’s not the code or the permission problem. But it seemed that the production server had Microsoft Forefront Server Security installed. It was configured to scan for viruses on every file uploads and downloads.

So what I did to fix the issue is:

  • Open SharePoint Central Administration
  • Open the Operations tab
  • Click on the Antivirus link under the Security Configuration section
  • Turn off the Scan documents on upload setting

Then I could successfully executed my application to upload the file to every sites.

This is a mere workaround to resolve this problem temporarily. I still need to find a more proper solution so my application can work with Forefront.

SharePoint Bending: Allow Non-Administrator Users to Write to the Event Log

Windows SharePoint Services 3.0
Recently, a colleague asked me about an error that happened after he moved a WSS 3.0 Web site from the development to the production server.

When logged in as an administrator, all pages can be accessed successfully. But as a regular user, I got an “Access is denied” page when opening some pages containing some custom web parts with the following exception detail: System.ComponentModel.Win32Exception: Access is denied. Below it, in the stack trace, another exception popped: InvalidOperationException: Cannot open log for source ‘Some_webpart’. You may not have write access.

This happens because non-administrator users do not have—by default—the permission to write to the event log. So for this problem, just give the non-administrator users permission to write to the event log. If only it is that simple. Unfortunately, there are no easy (user-friendly) ways. To do this, follow the following steps:

  1. Fire up the registry editor which is usually located in C:\WINDOWS\regedit.exe.
  2. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application.
  3. Look for the entry CustomSD, it should contain string similar to:

    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA) (A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

    The string is formatted as an SDDL, you can find more information about the format at Microsoft’s site.

  4. Now tell Windows to give the event log’s read-write permission to all authenticated users. To do this, append the string (A;;0x3;;;AU) to the entry CustomSD thus it becomes:

    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA) (A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;AU)

After following the above steps, retry visiting the pages on your SharePoint site. Now the “access denied” problem should have gone. Hope this will help you running your MOSS 2007 or WSS 3.0 installation on Windows 2003 Server.

Disclaimer: remember to backup your registry before making any changes. I am not responsible for your system damages because of any registry errors.