WEBDAV Exchange Item Based Security - Not Updating
Exchange Server Forum Index Exchange Server
Discussion forums for Microsoft Exchange Server users.
Microsoft Outlook
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web ExchangeServerHelp.com
WEBDAV Exchange Item Based Security - Not Updating

 
Post new topic   Reply to topic    Exchange Server Forum Index -> Development
Author Message
Ben Donneghaille
Guest
Posted: Mon Dec 20, 2004 6:25 am    Post subject: WEBDAV Exchange Item Based Security - Not Updating Reply with quote
I have been attempting to use WEBDAV to update item level security on
public folder items in exchange.

The code I am using adds nodes to the security descriptor and each
submission to alter the ACLs on the item are returned with a 207
Multi-Status OK status. Which would suggest that my update was
successful.

The XML I am getting off the item using PROPFIND is below

<?xml version="1.0"?><a:multistatus
xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
xmlns:c="xml:" xmlns:d="http://schemas.microsoft.com/exchange/"
xmlns:f="urn:schemas-microsoft-com:office:office"
xmlns:e="http://schemas.microsoft.com/exchange/security/"
xmlns:a="DAV:"><a:response><a:href>http://DOMAINexch01/public/z%20ben/bjd.EML</a:href><a:propstat><a:status>HTTP/1.1
200 OK</a:status><a:prop>
<e:descriptor><S:security_descriptor
xmlns:S="http://schemas.microsoft.com/security/"
xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1">
<S:revision>1</S:revision>
<S:owner S:defaulted="0">
<S:sid>
<S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
<S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
<S:display_name>User One</S:display_name>
</S:sid>
</S:owner>
<S:primary_group S:defaulted="0">
<S:sid>
<S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name>
<S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid>
</S:sid>
</S:primary_group>
<S:dacl S:defaulted="1" S:protected="0" S:autoinherited="1">
<S:revision>2</S:revision>
<S:effective_aces>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name>
<S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid>
<S:display_name>User Three</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
<S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
<S:display_name>User One</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS
LOGON</S:nt4_compatible_name>
<S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\a_team
(47669)</S:nt4_compatible_name>
<S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid>
<S:display_name>a_Team (47669)</S:display_name>
</S:sid>
</S:access_allowed_ace>
</S:effective_aces>
</S:dacl>
</S:security_descriptor>
</e:descriptor></a:prop></a:propstat></a:response></a:multistatus>


The XML I send back using PROPPATCH is below

<a:propertyupdate xmlns:a="DAV:"
xmlns:e="http://schemas.microsoft.com/exchange/security/"><a:set><a:prop><e:descriptor>
<S:security_descriptor
xmlns:S="http://schemas.microsoft.com/security/"
xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1">
<S:revision>1</S:revision>
<S:owner S:defaulted="0">
<S:sid>

<S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
<S:type>user</S:type>

<S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>

<S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
<S:display_name>User One</S:display_name>
</S:sid>
</S:owner>
<S:primary_group S:defaulted="0">
<S:sid>

<S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\Domain
Users</S:nt4_compatible_name>

<S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid>
</S:sid>
</S:primary_group>
<S:dacl S:defaulted="1" S:protected="0"
S:autoinherited="1">
<S:revision>2</S:revision>
<S:effective_aces>

<!-- THIS IS THE USER I AM TRYING TO ADD - I HAVE ATTEMPTED MANY
DIFFERENT MASKS, ADDING BOTH AN ALLOWED AND A DENIED NODE HOWEVER
NOTHING RETURNS AN ERROR BUT MORE IMPORTANTLY NO CALLS ACTUALLY UPDATE
THE ACL -->

<S:access_allowed_ace S:inherited="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\user2</S:nt4_compatible_name>
<S:property_name>urn:schemas:contacts:email1</S:property_name>
</S:sid>
</S:access_allowed_ace>
<!-- END OF INSERT -->

<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>

<S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid>
<S:type>user</S:type>

<S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name>

<S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid>
<S:display_name>User
Three</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>

<S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
<S:type>user</S:type>

<S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>

<S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
<S:display_name>User
One</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>

<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT
AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>

<S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>

<S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid>
<S:type>group</S:type>

<S:nt4_compatible_name>DOMAIN\a_team (47669)</S:nt4_compatible_name>

<S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid>
<S:display_name>a_Team
(47669)</S:display_name>
</S:sid>
</S:access_allowed_ace>
</S:effective_aces>
</S:dacl>
</S:security_descriptor>
</e:descriptor></a:prop></a:set></a:propertyupdate>

I have used this same code using ADO/CDOEX and it updates without
issue.

Why can't WBEDAV update in the same way???

I have looked everywhere for some documentation that addresses this
issue (Success Status returned without any sort of success occuring)
but all the documentation seems to support that I am doing this in the
correct way.

I have no more Ideas.... Hopefully someone else out there does!!

Cheers
Ben

Back to top
Glen Scales [MVP]
Guest
Posted: Wed Dec 22, 2004 6:49 am    Post subject: Re: WEBDAV Exchange Item Based Security - Not Updating Reply with quote
You might want to grab a copy of pf-davadmin which is a gui based tool that
uses WebDAV to modify permissions you can get it from
ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/PFDavAdmin/ .
The great thing about this tool is that you can use the "current xml' button
to see what the correct XML syntax is to make an update to a folder. Just
compare this with what you trying to do programmatically and this may show
you where your going wrong..

Cheers
Glen


"Ben Donneghaille" <ben_angelina@yahoo.com.au> wrote in message
news:9d964860.0412191625.5adec4bc@posting.google.com...
Quote:
I have been attempting to use WEBDAV to update item level security on
public folder items in exchange.

The code I am using adds nodes to the security descriptor and each
submission to alter the ACLs on the item are returned with a 207
Multi-Status OK status. Which would suggest that my update was
successful.

The XML I am getting off the item using PROPFIND is below

?xml version="1.0"?><a:multistatus
xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
xmlns:c="xml:" xmlns:d="http://schemas.microsoft.com/exchange/"
xmlns:f="urn:schemas-microsoft-com:office:office"
xmlns:e="http://schemas.microsoft.com/exchange/security/"
xmlns:a="DAV:"><a:response><a:href>http://DOMAINexch01/public/z%20ben/bjd.EML</a:href><a:propstat><a:status>HTTP/1.1
200 OK</a:status><a:prop
e:descriptor><S:security_descriptor
xmlns:S="http://schemas.microsoft.com/security/"
xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1"
S:revision>1</S:revision
S:owner S:defaulted="0"
S:sid
S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
S:type>user</S:type
S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
S:display_name>User One</S:display_name
/S:sid
/S:owner
S:primary_group S:defaulted="0"
S:sid
S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid
S:type>group</S:type
S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name

S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid
/S:sid
/S:primary_group
S:dacl S:defaulted="1" S:protected="0" S:autoinherited="1"
S:revision>2</S:revision
S:effective_aces
S:access_allowed_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid
S:type>user</S:type
S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name

S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid
S:display_name>User Three</S:display_name
/S:sid
/S:access_allowed_ace
S:access_allowed_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
S:type>user</S:type
S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
S:display_name>User One</S:display_name
/S:sid
/S:access_allowed_ace
S:access_denied_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid
S:string_sid>S-1-5-7</S:string_sid
S:type>well_known_group</S:type
S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS
LOGON</S:nt4_compatible_name

S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid
/S:sid
/S:access_denied_ace
S:access_allowed_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid
S:type>group</S:type
S:nt4_compatible_name>DOMAIN\a_team
(47669)</S:nt4_compatible_name

S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid
S:display_name>a_Team (47669)</S:display_name
/S:sid
/S:access_allowed_ace
/S:effective_aces
/S:dacl
/S:security_descriptor
/e:descriptor></a:prop></a:propstat></a:response></a:multistatus


The XML I send back using PROPPATCH is below

a:propertyupdate xmlns:a="DAV:"
xmlns:e="http://schemas.microsoft.com/exchange/security/"><a:set><a:prop><e:descriptor
S:security_descriptor
xmlns:S="http://schemas.microsoft.com/security/"
xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1"
S:revision>1</S:revision
S:owner S:defaulted="0"
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
S:type>user</S:type

S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
S:display_name>User One</S:display_name
/S:sid
/S:owner
S:primary_group S:defaulted="0"
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid
S:type>group</S:type
S:nt4_compatible_name>DOMAIN\Domain
Users</S:nt4_compatible_name

S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid
/S:sid
/S:primary_group
S:dacl S:defaulted="1" S:protected="0"
S:autoinherited="1"
S:revision>2</S:revision
S:effective_aces

!-- THIS IS THE USER I AM TRYING TO ADD - I HAVE ATTEMPTED MANY
DIFFERENT MASKS, ADDING BOTH AN ALLOWED AND A DENIED NODE HOWEVER
NOTHING RETURNS AN ERROR BUT MORE IMPORTANTLY NO CALLS ACTUALLY UPDATE
THE ACL --

S:access_allowed_ace S:inherited="0"
S:access_mask>1f0fbf</S:access_mask
S:sid
S:type>user</S:type
S:nt4_compatible_name>DOMAIN\user2</S:nt4_compatible_name
S:property_name>urn:schemas:contacts:email1</S:property_name
/S:sid
/S:access_allowed_ace
!-- END OF INSERT --

S:access_allowed_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid
S:type>user</S:type

S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name

S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid
S:display_name>User
Three</S:display_name
/S:sid
/S:access_allowed_ace
S:access_allowed_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
S:type>user</S:type

S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
S:display_name>User
One</S:display_name
/S:sid
/S:access_allowed_ace
S:access_denied_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-7</S:string_sid
S:type>well_known_group</S:type
S:nt4_compatible_name>NT
AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name

S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid
/S:sid
/S:access_denied_ace
S:access_allowed_ace S:inherited="1"
S:access_mask>1f0fbf</S:access_mask
S:sid

S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid
S:type>group</S:type

S:nt4_compatible_name>DOMAIN\a_team (47669)</S:nt4_compatible_name

S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid
S:display_name>a_Team
(47669)</S:display_name
/S:sid
/S:access_allowed_ace
/S:effective_aces
/S:dacl
/S:security_descriptor
/e:descriptor></a:prop></a:set></a:propertyupdate

I have used this same code using ADO/CDOEX and it updates without
issue.

Why can't WBEDAV update in the same way???

I have looked everywhere for some documentation that addresses this
issue (Success Status returned without any sort of success occuring)
but all the documentation seems to support that I am doing this in the
correct way.

I have no more Ideas.... Hopefully someone else out there does!!

Cheers
Ben
Back to top
Guest
Posted: Sat Jan 22, 2005 2:01 am    Post subject: Re: WEBDAV Exchange Item Based Security - Not Updating Reply with quote
Did you ever find a solution? I think I am experiencing the same
problem?

I am using a PROPPATCH to create a calendar item and set the security
descriptor at the same time. It takes it with no errors, but I don't
think the binary security descriptor is ultimately being updatd.

Back to top
 
Post new topic   Reply to topic    Exchange Server Forum Index -> Development All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




Windows Server Dedicated Servers
Contact Us
New Topics Powered by phpBB