Deployment to Server fails with local Administrator - tfs

When trying deploy my Release to a Server using a local Admin Account at the Server i get the Message:
7-05-09T08:12:50.6866361Z 2017/05/09 10:12:50 ERROR 5 (0x00000005) Getting File System Type of Destination \\server\C$\temp\
2017-05-09T08:12:50.6866361Z Access is denied.
during the robocopy to the remote server.
When trying to use my domain Account (also Administrator) it works without any problems.
What am i missing?

Make sure that the UNC path \\server\C$\temp\ could be achieved by the local account you used as build service account.
I suggest that you use domain user to access the domain resources. Or you could share that folder \\server\C$\temp\ to Everyone and give the Read and Write permission.
If you insist to use a local account, as a workaround:
local accounts on each member server where the shared folders are
stored will have to be created to directly map to the same
username/password combinations the users are using on each local
machine. For example, on client 1, local user named A, password xxxx,
on the server which stores the shares, you need to create a local user
named A with the same password xxxx.

Related

Publish Azure App With Database Connection String Using Active Directory Integrated Not Working

I have previously deployed an MVC application to Azure.
Under Publish -> Settings -> Databases, I include connection strings.
I have been using the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;User ID=username;Password=password;Encrypt=True;TrustServerCertificate=False
The problem with specifying a user is that stored procedures run as the user specified.
This results in CreatedBy/ModifiedBy values set to this same user, instead of the user that created/modified the record.
I previously tried the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Integrated"
However, I receive the error "The format of the specified domain name is invalid." after the application is deployed. Even though I test the connection with Active Directory Integrated in the Destination Connection String window, and it works.
As given in this MS Doc, if you’re using the AD Integrated type of Authentication in the Azure, then either you should have domain-joined device for accessing the Web Application linked with SQL Database or make the device as federations with ADFS.
So, if you are accessing the Azure Applications from other machines, use the AD-password type authentication mode and its connection string format is given in the same MS Document and this Doc2 for more relevant information on configuring the AD Integrated / Password Type of Authentication mode on Azure Data sources and applications.
AD Password Type Authentication Format: 
Server=demo.database.windows.net; Authentication=Active Directory Password; Encrypt=True; Database=sample_db; User Id=your_username#domain.com; Password=<Your__Password>

azure file share access via web application

C# ASP.NET MVC web application - I followed all the steps from https://blogs.iis.net/davidso/azurefile in order to be able to access my Azure location by unc.
My newly created local user is in the IISUSER Group and has the same username and pwd (storage key).
I then created an application in my website using a new APP Pool (integrated) w/said local user.
I ran the caspol command as well.
The issue I run into is when trying to do a file.SaveAs, I get an error
Incorrect username or password
Server.MapPath({application}) returns the correct unc path but doing a Directory.Exists won't locate the path.
When viewing the "connect as" with specified user in IIS I get no issues, additionally I can access the unc path directly from my local machine with same creds.
I tried going to the app pool of the application and set the user directly but no change there. Are there changes I need to make on the Website configuration that the application sits in? Prior to converting this to an application I initially had it configured as a virtual directory and got the same error.
Set the load user profile to "True" in the application pool:
try to set the azure user in iis anonymous authentication by clicking on the edit:

Where should a Windows service, running as Local System, store a private key in the file system?

I need to generate and store a sensitive file (assume that it is not a traditional PKCS format) private key and keep it accessible to the running service.
Normally, when running as a service account (AD User), I would store the file under the user's profile, and then let standard Windows security handle this.
Outside of the CryptoAPI, where in the file system should I store this private key?
Using DPAPI, you can either use current user credentials or either the LocalMachine 'creds'.
LocalMachine will make all users on the computer able to Unprotect the data (still a solution though... if you trust every user on this computer).
Or, you can use impersonation to get the current user & do your stuff.

Permission settings for discovery of windows services

I'm setting up a windows service that monitors other services and will restart them if they get disconnected. For security reasons I've decided to run this service on a special "service" account and for each service it's supposed to have access to it granted to the service account by an administrator.
In order to do this I'm using the "ServiceController" class. I've been able to get it to work with local computer services but when I attempt to connect to a another network on the computer I get an invalidoperationexception. Is there a "browse" or "discover" permission that I can give to the service account?
'First line throw exception even though the service account has permission set for that 'particular service and that particular machine. Again works fine if the service is 'located on same machine
services = ServiceController.GetServices(serviceComputer).ToList()
Dim serviceOfInterest As ServiceController = (From service In _
services.DefaultIfEmpty(Nothing) _
Where service.ServiceName = "SomeServiceName" _
Select service).SingleOrDefault()
serviceOfInterest.Start();
The permissions you need are described here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx.
Specifically, to obtain list of services you need SC_MANAGER_ENUMERATE_SERVICE. According to the table in the link above this permission is granted to:
Local authenticated users
LOCAL SYSTEM
BUILTIN\ADMINISTRATORS
apparently when connecting remotely the first two options are out, you only have one option left -- being part of the local administrators group.

Unable to access SAN storage device

I am attempting to programmatically FTP a backup file that is stored on a SAN device. The device has been mapped on the server. I tested the application by running it from an icon on the desktop and it works perfectly. When I run the program through a windows service I get an error message saying that the drive cannot be found. The account that the service was running under was the local account. I thought the issue might be that account so I created a new user and ran the service under that account. The same error message occurs. Has anyone experienced this before and found a resolution to this problem?
The drive mappings exist only for the logged on user. For this reason they are not visible to the service as it runs on lower level. You need to use some ftp client if you want to use the storage location from a service.
The same problem appears with network shares where you cannot access a network share mapped to a network drives from services. The correct way to access these shares from a service is to use an UNC path similar to "\\SANS\Backuplocation".

Resources