Wednesday, January 9, 2013

How to get thumbs to work with FS4SP when using Claims security in SharePoint

As stated in the Microsoft support article KB2554903 and KB2641517, document thumbnails with FS4SP and Claims based Authentication is not supported. There are also numerous threads on the Microsoft FS4SP forum about this.

I recently experiences this myself in a project and decided to fix it, because the fix is not really that hard. The issue is that when your browser calls http://server/_vti_bin/WACProxy.ashx it receives a 401 error due to it not handling claims.

A WSP for this solution can be downloaded from Codeplex. Note that the WSP will overwrite the existing WACProxy.ashx file, so you might want to create a copy of it first.

What I did was create a wrapper which calls the WACProxy running under elevated privileges instead, and switched out the existing WACProxy.ashx file with one pointing to my assembly.

using System.Web;
using Microsoft.SharePoint;

namespace mAdcOW.SharePoint
{
    public class WACProxy : IHttpHandler
    {
        public void ProcessRequest(HttpContext context)
        {
            SPSecurity.RunWithElevatedPrivileges(delegate()
            {
                var proxy = new Microsoft.Office.Server.Search.Extended.Query.Internal.UI.WACProxy();
                proxy.ProcessRequest(context);
            });

        }

        public bool IsReusable
        {
            get { return false; }
        }
    }
}


You might thing it’s very very bad running this in an elevated security context and thinking this might create a security hole. But it won’t. What the WACProxy does is sending back script which points to for example http://server/library/_layouts/MobilePageHandler.ashx. This call is then being executed by your browser using your logged in credentials. This means if you don’t have access to the document, you can’t generated a thumbnail for it either.

So we are merely running the call to generate the proper thumbnail URL in an elevated context to get around the claims error.

If you do not want to overwrite or replace the current WACProxy.ashx file, I have a webpart you can drop on the search page which will redirect calls to WACProxy.ashx to YourWACProxy.ash file instead. I will commit this to spsearchparts.codeplex.com at a later time.

5 comments:

  1. Hey Mikael - you're a genius :)

    I have a customer that's going to flip out over this. I'll be testing it out next week.

    Thanks!!!

    -Paul Olenick

    ReplyDelete
  2. Great it's working great. Thanks Mikael

    ReplyDelete
    Replies
    1. Cool :D

      I wonder why MS just didn't do this in the first place as I cannot see a security risk doing it this way.

      Delete
  3. Hi Mikael,
    Thanks for publishing this solution. We previously had thumbnails/previews working in a classic-mode authentication app. They stopped working after we converted to mixed-mode authentication. We installed your WSP but still can't see thumbnails/previews. Any ideas?

    Thanks,
    Barry

    ReplyDelete
    Replies
    1. Hi Barry,
      You should check with for example Fiddler, and see what kind of errors/responses you are getting back when viewing a result page. Typically a call goes to the WACProxy.ashx, then a new call goes out to the mobile handler for Word or PowerPoint.

      A typical call would be: http://server/Library/_layouts/MobileDocHandler.ashx?doc=/Library/TestDocument.docx&type=thumbnail

      You can also handcraft the above call for a file in a library, and see what is returned using Fiddler, in order to figure out if it works or not.

      Delete