Results 1 to 3 of 3

Thread: WEBDAV Exchange Item Based Security - Not Updating

  1. 12-19-2004, 10:25 PM #1
    Ben Donneghaille Guest

    WEBDAV Exchange Item Based Security - Not Updating

    I have been attempting to use WEBDAV to update item level security on
    public folder items in exchange.

    The code I am using adds nodes to the security descriptor and each
    submission to alter the ACLs on the item are returned with a 207
    Multi-Status OK status. Which would suggest that my update was
    successful.

    The XML I am getting off the item using PROPFIND is below

    <?xml version="1.0"?><a:multistatus
    xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
    xmlns:c="xml:" xmlns:d="http://schemas.microsoft.com/exchange/"
    xmlns:f="urn:schemas-microsoft-com:office:office"
    xmlns:e="http://schemas.microsoft.com/exchange/security/"
    xmlns:a="DAV:"><a:response><a:href>http://DOMAINexch01/public/z%20ben/bjd.EML</a:href><a:propstat><a:status>HTTP/1.1
    200 OK</a:status><a:prop>
    <e:descriptor><S:security_descriptor
    xmlns:S="http://schemas.microsoft.com/security/"
    xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
    D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1">
    <S:revision>1</S:revision>
    <S:owner S:defaulted="0">
    <S:sid>
    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
    <S:type>user</S:type>
    <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
    <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
    <S:display_name>User One</S:display_name>
    </S:sid>
    </S:owner>
    <S:primary_group S:defaulted="0">
    <S:sid>
    <S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid>
    <S:type>group</S:type>
    <S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name>
    <S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid>
    </S:sid>
    </S:primary_group>
    <S:dacl S:defaulted="1" S:protected="0" S:autoinherited="1">
    <S:revision>2</S:revision>
    <S:effective_aces>
    <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid>
    <S:type>user</S:type>
    <S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name>
    <S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid>
    <S:display_name>User Three</S:display_name>
    </S:sid>
    </S:access_allowed_ace>
    <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
    <S:type>user</S:type>
    <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
    <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
    <S:display_name>User One</S:display_name>
    </S:sid>
    </S:access_allowed_ace>
    <S:access_denied_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
    <S:string_sid>S-1-5-7</S:string_sid>
    <S:type>well_known_group</S:type>
    <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS
    LOGON</S:nt4_compatible_name>
    <S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid>
    </S:sid>
    </S:access_denied_ace>
    <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid>
    <S:type>group</S:type>
    <S:nt4_compatible_name>DOMAIN\a_team
    (47669)</S:nt4_compatible_name>
    <S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid>
    <S:display_name>a_Team (47669)</S:display_name>
    </S:sid>
    </S:access_allowed_ace>
    </S:effective_aces>
    </S:dacl>
    </S:security_descriptor>
    </e:descriptor></a:prop></a:propstat></a:response></a:multistatus>


    The XML I send back using PROPPATCH is below

    <a:propertyupdate xmlns:a="DAV:"
    xmlns:e="http://schemas.microsoft.com/exchange/security/"><a:set><a:prop><e:descriptor>
    <S:security_descriptor
    xmlns:S="http://schemas.microsoft.com/security/"
    xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
    D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1">
    <S:revision>1</S:revision>
    <S:owner S:defaulted="0">
    <S:sid>

    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
    <S:type>user</S:type>

    <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>

    <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
    <S:display_name>User One</S:display_name>
    </S:sid>
    </S:owner>
    <S:primary_group S:defaulted="0">
    <S:sid>

    <S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid>
    <S:type>group</S:type>
    <S:nt4_compatible_name>DOMAIN\Domain
    Users</S:nt4_compatible_name>

    <S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid>
    </S:sid>
    </S:primary_group>
    <S:dacl S:defaulted="1" S:protected="0"
    S:autoinherited="1">
    <S:revision>2</S:revision>
    <S:effective_aces>

    <!-- THIS IS THE USER I AM TRYING TO ADD - I HAVE ATTEMPTED MANY
    DIFFERENT MASKS, ADDING BOTH AN ALLOWED AND A DENIED NODE HOWEVER
    NOTHING RETURNS AN ERROR BUT MORE IMPORTANTLY NO CALLS ACTUALLY UPDATE
    THE ACL -->

    <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
    <S:type>user</S:type>
    <S:nt4_compatible_name>DOMAIN\user2</S:nt4_compatible_name>
    <S:property_name>urn:schemas:contacts:email1</S:property_name>
    </S:sid>
    </S:access_allowed_ace>


    <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>

    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid>
    <S:type>user</S:type>

    <S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name>

    <S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid>
    <S:display_name>User
    Three</S:display_name>
    </S:sid>
    </S:access_allowed_ace>
    <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>

    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
    <S:type>user</S:type>

    <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>

    <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
    <S:display_name>User
    One</S:display_name>
    </S:sid>
    </S:access_allowed_ace>
    <S:access_denied_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>

    <S:string_sid>S-1-5-7</S:string_sid>
    <S:type>well_known_group</S:type>
    <S:nt4_compatible_name>NT
    AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>

    <S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid>
    </S:sid>
    </S:access_denied_ace>
    <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>

    <S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid>
    <S:type>group</S:type>

    <S:nt4_compatible_name>DOMAIN\a_team (47669)</S:nt4_compatible_name>

    <S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid>
    <S:display_name>a_Team
    (47669)</S:display_name>
    </S:sid>
    </S:access_allowed_ace>
    </S:effective_aces>
    </S:dacl>
    </S:security_descriptor>
    </e:descriptor></a:prop></a:set></a:propertyupdate>

    I have used this same code using ADO/CDOEX and it updates without
    issue.

    Why can't WBEDAV update in the same way???

    I have looked everywhere for some documentation that addresses this
    issue (Success Status returned without any sort of success occuring)
    but all the documentation seems to support that I am doing this in the
    correct way.

    I have no more Ideas.... Hopefully someone else out there does!!

    Cheers
    Ben
    Reply With Quote Reply With Quote
  2. 12-21-2004, 10:49 PM #2
    Glen Scales [MVP] Guest
    You might want to grab a copy of pf-davadmin which is a gui based tool that
    uses WebDAV to modify permissions you can get it from
    ftp://ftp.microsoft.com/PSS/Tools/Ex...ls/PFDavAdmin/ .
    The great thing about this tool is that you can use the "current xml' button
    to see what the correct XML syntax is to make an update to a folder. Just
    compare this with what you trying to do programmatically and this may show
    you where your going wrong..

    Cheers
    Glen


    "Ben Donneghaille" <ben_angelina@yahoo.com.au> wrote in message
    news:9d964860.0412191625.5adec4bc@posting.google.c om...
    I have been attempting to use WEBDAV to update item level security on
    public folder items in exchange.

    The code I am using adds nodes to the security descriptor and each
    submission to alter the ACLs on the item are returned with a 207
    Multi-Status OK status. Which would suggest that my update was
    successful.

    The XML I am getting off the item using PROPFIND is below

    ?xml version="1.0"?><a:multistatus
    xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
    xmlns:c="xml:" xmlns:d="http://schemas.microsoft.com/exchange/"
    xmlns:f="urn:schemas-microsoft-com:office:office"
    xmlns:e="http://schemas.microsoft.com/exchange/security/"
    xmlns:a="DAV:"><a:response><a:href>http://DOMAINexch01/public/z%20ben/bjd.EML</a:href><a:propstat><a:status>HTTP/1.1
    200 OK</a:status><a:prop
    e:descriptor><S:security_descriptor
    xmlns:S="http://schemas.microsoft.com/security/"
    xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
    D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1"
    S:revision>1</S:revision
    S:owner S:defaulted="0"
    S:sid
    S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
    S:type>user</S:type
    S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

    S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
    S:display_name>User One</S:display_name
    /S:sid
    /S:owner
    S:primary_group S:defaulted="0"
    S:sid
    S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid
    S:type>group</S:type
    S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name

    S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid
    /S:sid
    /S:primary_group
    S:dacl S:defaulted="1" S:protected="0" S:autoinherited="1"
    S:revision>2</S:revision
    S:effective_aces
    S:access_allowed_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid
    S:type>user</S:type
    S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name

    S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid
    S:display_name>User Three</S:display_name
    /S:sid
    /S:access_allowed_ace
    S:access_allowed_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
    S:type>user</S:type
    S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

    S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
    S:display_name>User One</S:display_name
    /S:sid
    /S:access_allowed_ace
    S:access_denied_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid
    S:string_sid>S-1-5-7</S:string_sid
    S:type>well_known_group</S:type
    S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS
    LOGON</S:nt4_compatible_name

    S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid
    /S:sid
    /S:access_denied_ace
    S:access_allowed_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid
    S:type>group</S:type
    S:nt4_compatible_name>DOMAIN\a_team
    (47669)</S:nt4_compatible_name

    S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid
    S:display_name>a_Team (47669)</S:display_name
    /S:sid
    /S:access_allowed_ace
    /S:effective_aces
    /S:dacl
    /S:security_descriptor
    /e:descriptor></a:prop></a:propstat></a:response></a:multistatus


    The XML I send back using PROPPATCH is below

    a:propertyupdate xmlns:a="DAV:"
    xmlns:e="http://schemas.microsoft.com/exchange/security/"><a:set><a:prop><e:descriptor
    S:security_descriptor
    xmlns:S="http://schemas.microsoft.com/security/"
    xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
    D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1"
    S:revision>1</S:revision
    S:owner S:defaulted="0"
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
    S:type>user</S:type

    S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

    S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
    S:display_name>User One</S:display_name
    /S:sid
    /S:owner
    S:primary_group S:defaulted="0"
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid
    S:type>group</S:type
    S:nt4_compatible_name>DOMAIN\Domain
    Users</S:nt4_compatible_name

    S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid
    /S:sid
    /S:primary_group
    S:dacl S:defaulted="1" S:protected="0"
    S:autoinherited="1"
    S:revision>2</S:revision
    S:effective_aces

    !-- THIS IS THE USER I AM TRYING TO ADD - I HAVE ATTEMPTED MANY
    DIFFERENT MASKS, ADDING BOTH AN ALLOWED AND A DENIED NODE HOWEVER
    NOTHING RETURNS AN ERROR BUT MORE IMPORTANTLY NO CALLS ACTUALLY UPDATE
    THE ACL --

    S:access_allowed_ace S:inherited="0"
    S:access_mask>1f0fbf</S:access_mask
    S:sid
    S:type>user</S:type
    S:nt4_compatible_name>DOMAIN\user2</S:nt4_compatible_name
    S:property_name>urn:schemas:contacts:email1</S:property_name
    /S:sid
    /S:access_allowed_ace
    !-- END OF INSERT --

    S:access_allowed_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid
    S:type>user</S:type

    S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name

    S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid
    S:display_name>User
    Three</S:display_name
    /S:sid
    /S:access_allowed_ace
    S:access_allowed_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid
    S:type>user</S:type

    S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name

    S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid
    S:display_name>User
    One</S:display_name
    /S:sid
    /S:access_allowed_ace
    S:access_denied_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-7</S:string_sid
    S:type>well_known_group</S:type
    S:nt4_compatible_name>NT
    AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name

    S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid
    /S:sid
    /S:access_denied_ace
    S:access_allowed_ace S:inherited="1"
    S:access_mask>1f0fbf</S:access_mask
    S:sid

    S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid
    S:type>group</S:type

    S:nt4_compatible_name>DOMAIN\a_team (47669)</S:nt4_compatible_name

    S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid
    S:display_name>a_Team
    (47669)</S:display_name
    /S:sid
    /S:access_allowed_ace
    /S:effective_aces
    /S:dacl
    /S:security_descriptor
    /e:descriptor></a:prop></a:set></a:propertyupdate

    I have used this same code using ADO/CDOEX and it updates without
    issue.

    Why can't WBEDAV update in the same way???

    I have looked everywhere for some documentation that addresses this
    issue (Success Status returned without any sort of success occuring)
    but all the documentation seems to support that I am doing this in the
    correct way.

    I have no more Ideas.... Hopefully someone else out there does!!

    Cheers
    Ben
    Reply With Quote Reply With Quote
  3. 01-21-2005, 06:01 PM #3
    Guest
    Did you ever find a solution? I think I am experiencing the same
    problem?

    I am using a PROPPATCH to create a calendar item and set the security
    descriptor at the same time. It takes it with no errors, but I don't
    think the binary security descriptor is ultimately being updatd.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Updating categories of contact item using CDO
    By RayYeung in forum Development
    Replies: 2
    Last Post: 06-28-2005, 11:31 PM
  2. webdav + form based authentication
    By Chris in forum Development
    Replies: 1
    Last Post: 06-09-2005, 04:41 AM
  3. Conflict updating Event occurrence using WebDAV
    By Rob Swofford in forum Development
    Replies: 0
    Last Post: 04-05-2005, 04:37 PM
  4. Updating a recurring meeting series (WebDAV)
    By Eric in forum Development
    Replies: 1
    Last Post: 03-23-2005, 02:41 PM
  5. WebDAV security when creating or updating calendar appointme
    By in forum Development
    Replies: 2
    Last Post: 01-21-2005, 04:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Other forums: Access Forum - Microsoft Office Forum - CAD Forum