Recently, I worked on a SharePoint project which used a Claims based web application. One of the web part was calling a custom web service hosted in ISAPI folder of SharePoint. The call was made via a server side proxy using C# code. And this particular design resulted in quite big challenge. While calling the web service from a web part using a service proxy, I noticed that user account being passed to the web service is NT Authority\IUSR.

On the other hand, if I created a site collection under Windows Authenticated web application and deploy the web parts in this site collection; the behaviour is different (and desired) i.e. the web parts communicate to the web service which is still deployed under Claims based web application. With this design, the identity in web service is same as that of logged in user.

Resolution:

The closest issue I found someone else had was Danny Hansen, atleast in terms of the error message. But unfortunaly, the resolution did not seem to help me in my issue.

http://www.dannyhansen.nl/sharepoint/sharepoint-2010/sharepoint-2010-claim-based-authentication-new-httpwebrequest-with-use-default-credentials-result-401

After doing some more rounds of trial and errors with some reseach, I came to know about Claims to Windows Token Service. Basically, in claims mode the WindowsIdentity of the user does not exist because it is created as a IClaimsIdentity (that is, in .NET 3.5, an interface that inherits IIdentity). For this reason, developer must call a special .NET WCF service called C2WTS (claims to windows token service) that will return a WindowsIdentity that can be used for delegation. It is a .NET service that is configured in SharePoint and procedure to configure it is quite long and must be carefully followed, otherwise it will not work. Configuration step by step is available in http://support.microsoft.com/kb/2722087.

For the web service to work, below is the code I modified to implement what I describe above:

public static WindowsIdentity GetWindowsIdentityFromClaimsToken()
{
	WindowsIdentity wi = null;

	// Run this portion of code as application pool account, so that C2WTS service is called as this account
	SPSecurity.RunWithElevatedPrivileges(delegate()
	{
		// Get the UPN value of the user from the UPN claim type
		IClaimsIdentity identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
		string upn = null;
		foreach (Microsoft.IdentityModel.Claims.Claim claim in identity.Claims.Where(claim => StringComparer.Ordinal.Equals(ClaimTypes.Upn, claim.ClaimType)))
		{
			upn = claim.Value;
		}

		if (upn == null)
		{
			throw new Exception(string.Format("Cannot Impersonate {0} since he doesn't have a UPN in his claims", Thread.CurrentPrincipal.Identity.Name));
		}

		// Get a WindowsIdentity from the UPN of the user by calling C2WTS service
		try
		{
			wi = S4UClient.UpnLogon(upn);
		}
		catch (System.Exception ex)
		{
			throw new Exception(string.Format("Impersonation failed. Message: {0}", ex.Message));
		}
	});

	return wi;
}

using (WindowsImpersonationContext ctxt = Utility.GetWindowsIdentityFromClaimsToken().Impersonate())
{
	//Call the web service here...
}

The function GetWindowsIdentityFromClaimsToken basically returns the windows token from Claims Token. To read more about C2WTS, here is a link to MSDN documentation:

http://msdn.microsoft.com/en-us/library/ee517278.aspx

I am not sure why but Microsoft does it every time. They give you a piece of functionality but leaves you struggling with a certain and so called ‘known’ limitation.

One such limitation is sending emails when using SharePoint. SharePoint provides an API called ‘SPUtility.SendEmail‘ to send emails. But the implementation of this API seems to be incomplete. If you notice the method, it is impossible to send an email with an attachment or to change the from address of the sender.

To make thing simpler, you can use the following class to extend the functionality and use the good old MailMessage object to send email (without any extra infrastructure configuration).

public class SMTPHelper
{
	private readonly string _specifiedPickupDirectory = string.Empty;
	private readonly SmtpClient _smtpClient;

	public SMTPHelper(string specifiedPickupDirectory)
	{
		_specifiedPickupDirectory = specifiedPickupDirectory;

		_smtpClient = new SmtpClient();
		if (string.IsNullOrEmpty(_specifiedPickupDirectory))
		{
			//Get the Sharepoint SMTP information from the SPAdministrationWebApplication
			var host = SPAdministrationWebApplication.Local.OutboundMailServiceInstance.Server.Address;
			_smtpClient.Host = host;
		}
		else
		{
			_smtpClient.PickupDirectoryLocation = _specifiedPickupDirectory;
			_smtpClient.DeliveryMethod = SmtpDeliveryMethod.SpecifiedPickupDirectory;
		}
	}

	public void SendEmail(MailMessage mailMessage)
	{
		_smtpClient.Send(mailMessage);
	}
}

The above code basically make use of the OutboundMailServiceInstance to retrieve the SMTP server address configured within SharePoint. Generally, you can configure this address in Central Administration -> System Settings -> Configure outgoing e-mail settings.

I have seen this question so many times on forums, so decided to put it as tip. Here is a simple code snippet to get unique list of values out of JavaScript array. It makes use of jQueryto do a look up.

function GetUnique(inputArray)
{
	var outputArray = [];
	for (var i = 0; i < inputArray.length; i++)
	{
		if ((jQuery.inArray(inputArray[i], outputArray)) == -1)
		{
			outputArray.push(inputArray[i]);
		}
	}
	return outputArray;
}

If you enjoyed this article, please consider sharing it!

Further Reading:

JavaScript Prototype Chains, Scope Chains, and Performance: What You Need to Know

I received this email from someone by the name of Mike Harmon (fake?) from harmon.ie. From the web site, it looks like they are into product development using the SharePoint platform.

In any case, the you tube video seems to be quite intuitive marketing. And something very unlikely when you really talk about SharePoint 🙂

Disclaimer: I have no relation with harmon.ie and have used tried their product.