Claudia Chorfi


I'm trying to perform a search in a web application according to the code below:

public static DataSet ObtemDocumentos(string palavraChave, ref string username)
//The XML string containing the query request information
//for the Web service
string qXMLString = "<QueryPacket xmlns='urn:Microsoft.Search.Query'>" +
"<Query><SupportedFormats><Format revision='1'>" +
"urn:Microsoft.Search.Response.DocumentBig Smileocument</Format>" +
"</SupportedFormats><Context><QueryText language='en-US' type='STRING'>" +
palavraChave + "</QueryText></Context></Query></QueryPacket>";
TeslaSharepoint.QueryService queryService = new TeslaSharepoint.QueryService();
queryService.Credentials = System.Net.CredentialCache.DefaultCredentials;
DataSet dados = queryService.QueryEx(qXMLString);
return dados;

The problem is that it's returning documents which the user who's viewing the results has no permissions to view. When the same user browses the Sharepoint site to which the documents were uploaded, these documents are not visible.

What am I doing wrong

Re: SharePoint - Search Search is ignoring user's permissions

Ki Tsang

Did you start an incremental or full crawl after you have uploaded the documents There's a chance that the document may not be in the index yet.

Re: SharePoint - Search Search is ignoring user's permissions


I don't think this is the reason because if I create an NetworkCredential object with a valid username and password and use it instead of DefaultCredential, everything works fine. The problem in this second solution is that I can't get the username and passowrd of a windows user account programmatically and I think there would be a security issue in doing that.

Any other possibilities

Re: SharePoint - Search Search is ignoring user's permissions

Puneet Narula - MSFT

This is most likely a double hop problem that you are running into provided you are running this code from a webpage.

You cannot pass on a user context that you recieved from a web request outside of the box(like to a web service call) as it is insecure to do that unless you have kerberos enabled.

This doesnt necessarily explain why the user is seeing more results that he shouldnt be seeing. This may be because you might actually not be running in the user context while making a call to get default credentials. You can find that out by looking in IIS logs for the request that you made to the web service and seeing what the user was and verify this with adding following line to your code just before you get the defaultcredentials

"string currentUser = System.Security.Prinicipal.Identity.GetCurrent().Name;"

When you debug through this this code will tell you in whose context is default credentials call being made.

So the solution to your problem:

1. If you want to get the results from the same farm and your code is going to run on the WFE then you should probably use OM call instead of using the webservice as you avoid the second hop altogether

2. If you are getting results from a different farm and/or not running on sharepoint box and you cannot call the om then you can choose from the following

a. Enable kerberos in your AD that will allow you to pass through user creds

b. Impersonate the user to an account which has minimum previliges on sharepoint box that will not necessarily give him all the content that he can see but atleast he wont see content that they are not authorised to see

c. Send you request as annonymous then you will get the absolute minimum stuff.