All users able to access sites in SPD after deploying tool

Oct 14, 2009 at 2:52 PM


We've deployed the tool in our DEV and the QA environment but we are unable to make it work properly.

Environment: 1 WFE, 1 CA/Index, 1 SQL Server 2005

Product: MOSS 2007 SP2

We've deployed both the solutions, have created the registry key and given the permission to the AD group and then activated the feature on the web application. Still, all users are able to access the sites using SharePoint Designer.

Are there some logs that we can check that can tell us what is the problem? Is there some step other then the ones listed in the Implementation document that we are missing?

If we can make it to work in our DEV/QA environments, then we can move it to the PROD and block the SPD access to users apart from those in the AD group. We really need this to work. Please help!


Manish Chopra

Oct 15, 2009 at 3:55 PM


Do the front end servers need to be rebooted after modifying the registry for the new BlockSPD key to take effect?




Tom Hockman

Oct 15, 2009 at 5:09 PM

We did reboot the WFE server but has not helped.

Oct 27, 2009 at 4:18 PM
Edited Oct 27, 2009 at 4:18 PM

Hi Manish,

Sorry for the delay in responding. Everything should work according to the instructions. Please back out all your changes and try again.

Who is in the AD group? Are these users all part of the same domain? Anything else unusual?


Oct 27, 2009 at 5:07 PM


The tool is working now after we changed the if condition:

Earlier: if (currentContext.Request.LogonUserIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation && !currentContext.Request.LogonUserIdentity.Name.Contains(@"IUSR"))

Modified: if (currentContext.Request.LogonUserIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation || currentContext.Request.LogonUserIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation && !currentContext.Request.LogonUserIdentity.Name.Contains(@"IUSR"))


 So, we've have to check for both impersonation and delegation to make it to work. The users in the AD group are all from the same domain. The solution was working on one web application in the farm and not working on another web application in the same farm. The web application it was working on had NTLM authentication and the web application it was not working on had Kerberos.

Will authentication make a difference?  any thought on why it was not working on one web app?


if (currentContext.Request.LogonUserIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation && !currentContext.Request.LogonUserIdentity.Name.Contains(@"IUSR"))