Lists.asmx 401 cross subdomain, farm admin works

Mar 21, 2014 at 11:40 AM
Farm admin can succesfuly updatelistitems using spservices, but any other user receives 401.
I tried nearly everything, (disableloopbackcheck) but cannot seem to find the problem. If the ajax call is in the same sitecoll everybody is able to update but as soon as I do a the ajax call from another subdomain (aaa.domain.com updating list in bbbbb.domain.com) it fails for all users , except farm admin.

It must be a config setting (permission) on lists.asmx but I got no clue. Browsing to lists.asmx is ok for all users.

Please help.

Fiddlers says:
HTTP/1.1 401 Unauthorized
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/8.0
SPRequestGuid: 8c697f9c-461a-f0f7-8970-515ac339018b
request-id: 8c697f9c-461a-f0f7-8970-515ac339018b
X-FRAME-OPTIONS: SAMEORIGIN
SPRequestDuration: 5
SPIisLatency: 1
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 15.0.0.4420
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
Date: Fri, 21 Mar 2014 11:34:40 GMT
Content-Length: 16
Proxy-Support: Session-Based-Authentication

401 UNAUTHORIZED
Mar 21, 2014 at 2:57 PM
I'm surprised that you claim this works for site admin. Specially when the http header above states

X-FRAME-OPTIONS: SAMEORIGIN

Type of account should not matter in most cross-domain issues because they are a Browser/HTTP issues, not sharepoint related.

Are your non-admin users authenticated to both domains (aaa and bbb) at the time the cross-domain calls are made?


--
Paul T.

-- Sent from Mobile

Mar 24, 2014 at 10:23 AM
Hi Paul,

We use integrated (NTLM with claims) security on all webapplications, so yeah they are all authenticated. Browsing to any part of the site is allowed. I am also in the mist here, but it actually works for me, but for other users the call to lists.asmx returns 401. I need to update a list in a team site from the users mysite site collection.

I tried implementing a custom httpmodule for deleting the x-frame-options (PermissiveXFrameHeader) but still the 401 is there. The user I am testing with is sitecoll admin. Am I missing something obvious? I check the permission levels and soap messages are allowed..
It is driving me crazy (almost ;-))

Sander
Mar 24, 2014 at 11:53 PM
Sander,
The good thing with WebServices and SPServices calls is that they are all done from the browser and are performed using the users permissions to the targeted site (sub-site). This is why I'm thinking you are hitting the x-domain/same origin browser Security issue.

Here are a few more items to check:

- make sure the users can login to each site
- create a quick javascript script on each site and have the user access the page that contains it. Make sure the script shows the expected results.

If the above come back true an successful, then you know SPServices is working. The next step would be to figure out the x-domain issue.
Remember that in order for the calls to succeed the user has to already be authenticated on both domains. Simply having permissions does not cut it. I recently hit this issue on O365 when trying to display a users picture - which was stored in their my-site. The image did not display until the user went to the My Site at least once during the browser session (which caused authentication to happen automatically based on the site that I was already authenticated in).

Oh. One last item: you said this works for you. Anything special about your browser setup vs your user(s)?
I assume you are already authenticated to both sites since you are testing/developing.

Hope this helps. Good luck.


--
Paul T.

-- Sent from Mobile