I am trying to assign the IIS APPPOOL[MyAppPoolName] to a Windows Service. I have tried going to the Windows Service Properties > Log On Tab, but have been unable to assign that account to the Windows Service. If I try to Select the User then it comes up with an error.
An object (User or Built-in security principal) with the following name cannot be found: "IIS APPPOOL\[MyAppPoolName]...". Check the selected object types and locations for accuracy and ensure that you have typed the object name correctly, or remove this object from the selection.
For object types I have both the Built-in security prinicipals and the Users checked off.
If I simply try to type the user account on the Log On screen, it asks for a password. But, no password exists for this user that I know of.
Related
In our application we manage a user database in which we have the option to log in to our app by verifying username and password with the local installation. By now we actually used LogonUser for that purpose.
So... Now with Windows 11 the default option is to have either biometric login or a PIN which is obviously incompatible with LogonUser (heck, on my PC I don't have a local password nor have I found the possibility to create one in the dialogs).
Now, what is the route to take from here? I couldn't figure what's the way to go (note: it's a similar problem to CreateProcessAsUser) - I always find links to Windows Hello/Windows credential provider interfaces, but as far as I can see these are used to be a provider yourself...
I'm learning about Google OAuth, and it says that my project has no appropriate credentials.
So I go to the Developers Console and click on the OAuth consent screen. I type my domain name into their question:
Authorized domains To protect you and your users, Google only allows
applications that authenticate using OAuth to use Authorized Domains.
Your applications' links must be hosted on Authorized Domains.
I have verified my domain, but I get "Must be a top private domain." The link takes me to some kind of java programming statement. Actually if I click on the Domain verification tab (again) there are no domain names listed, but I know I added it.
Q: How do I add my domain for being used with OAuth? Must I qualify it as a Top Private Domain or am I going down a rabbit hole?
Google oauth requires a top level domain for security purposes. A top level domain is the first one before the .com .net .biz, in other words it only has one dot. There are exceptions such as .co.uk.
Subdomains are controlled by the parent domains and are not necessarily owned or controlled by you. Imagine you have a Wordpress account at domain.wordpress.com. Wordpress closes your account and returns domain to inactive. A different user claims the domain user and domain.wordpress.com. If Google allowed subdomains they would be forced to believe the new user was you. (Since there is no requirement of public notification of the change)
Edit (a more generalized statement in response to a comment.)
If you own the domain, you have full control over it, and the ownership records are public. To prove your virtual identity as owner of the domain when subscribing to many services require a DNS record, that is created by you, as a challenge created by the provider, that can be read by the provider, prior to services being created. In the event of a change in ownership the original claimant, you, is sent a new record to the provided email address to add to your DNS server to prove you still own the domain. If you cannot prove you still maintain ownership of the name, as in the case of an expired domain hijack, all services are canceled.
Edit
The most probable problem is: Your domain verification is failing.
Start the verification process again. This will give you a new TXT record to add to your DNS.
Go to your DNS providers page and add the record. While there look for the refresh value on the SOA record.
Convert the SOA refresh from seconds to hours. Divide by 3600.
Wait that amount of time + 4 hours for replication.
Use nslookup (or dig) and look for the TXT record. Be sure to use Google's DNS server at 8.8.8.8(server=8.8.8.8).
If the record is not found, wait some more, if (hours waiting > 72) break; else repeat check.
If nslookup was able to find the record, complete the verification process; if not contact your DNS provider(The client record hold can be an issue).
If at this point everything went well, You should have an authorized domain.
If not (domain disappears, contact Google support), It my have to do with the privacy settings on the domain. Most quote public domains have contact information.
You must use a TLD (top level domain). If you have a subdomain, it is owned by the person who owns the TLD. For example, you might have a blog at myamazingblog.wordpress.com, and wanted to use OAuth with it. Unfortunately, this would not be possible, since you do not own wordpress.com (the TLD).
Try testing on a different device or clearing cache.
For me it turned out I had everything correct (just with my example.com domain) but my iOS safari was caching something and it kept giving me the ‘not whitelisted’ message. Which led me to think I needed to add dev.example.com as well - which isn’t necessary.
So try going to the site on another device or browser to see if it works.
I have ASP.NET MVC app and I am trying to connect to Azure SQL database migrated on Azure.
I need to set my connection string in web.config and I have no idea where to look for the user id and password.
I found such a pattern in my SQL Server overview in Azure:
Server=tcp...;User ID={your_username};Password={your_password}...;
I found that there is username#server.com and read about setting Active Directory Administrator. Unfortunately I am a student and have Azure for Students where I cannot set such admin.
I assumed the login will be the name of the database 'mydb' and the password is its password. Unfortunately it does not work and it gives the following error when I am login in into my app:
System.Data.SqlClient.SqlException: Login failed for user 'mydb'.
I did not find the answer on the forum, but if there is one please let me know.
Thank you all for any help in advance :)
Check the image for user name and password reset link below. For security reasons it doesn't display the password, but you can reset it. The screen will come once you click on the server name
The portal has all information you need, under Connection Strings, including the server name (included in connection string, in the form of <servername>.data.windows.net).
You can also see your server name in the Overview area, and if you click the server name, that takes you to the server configuration area where you can set the firewall settings (you'll need to add your client ip address to the firewall).
Your username is username#databasename. And this is a SQL login, nothing to do with Active Directory.
You do need to add your local IP address to the server's firewall though, otherwise you won't be able to establish a connection. That's under the server's settings.
I'm currently confused by the IDs identifying a user in Connections, and their link to the underlying LDAP directory.
So far, I identified several ids:
email: simple but not reliable as email access might have been disabled by the admin. This is particularly true for Connections cloud.
snx:userid: UUID generated by Connections, but this is the chicken and egg. To find the userid, you need to first get access to a profile document, or some data retrieved from Connections
key: also generated by Connections, but I don't get the pattern. On Greenhouse, it is yet another UUID in x-profile-key, different from the userid above. On other systems, it seems to be based on the user name.
subscriberId: The "lotuslive id" used by Connections cloud.
Can someone explain the relationship between snx:userid, key and subscriberId, on-prem and on the cloud, and what they are for? I can't find any clear documentation around it. The API doc says that some times we should pass the key, and some times the id.
Also is the LDAP directory on prem. We are querying the LDAP directory (WAS federated directory, also used by Connections) to get a list of users based on a group. But then, how can we access their Connections profiles from the LDAP result? Is their an attribute to read? We are currently using the email, but as said earlier, this will not work if email access in disabled, like in Greenhouse.
I can explain part of it. the snx:userid is an abstraction used to uniquely identify a person - even if their email changed, name changed, or any other ldap specific id changed. The snx:userid is I believe 64bit.
I thought the Key is the same as snx:userid.
SubscriberId is based on the Business Support Services long id, and includes a scope so that each environment has a unique id.
I think I described the first part of your question on the relationship.
For the second bit, we don't augment LDAP with the snx:userid.
You may want to look at User SPI and java.lang.String getExtID()
http://www-10.lotus.com/ldd/lcwiki.nsf/xpAPIViewer.xsp?lookupName=IBM+Connections+5.0+API+Documentation#action=openDocument&res_title=User_SPI_ic50&content=apicontent
Hopefully this will help clear up some of the confusion and break down their relationships and uses.
snx:userid — This is actually not “generated” by Connections, but rather is associated with an LDAP attribute that is defined during the population process. Generally it is defaulted to an LDAP attribute that is and will always be unique to a user so that it can be used to identify a user in the LDAP if other content has changed. In some cases you’ll see this as the GUID of the LDAP (the default setting on-prem), though other times you’ll see this as a different value, like on the cloud for example. The cloud has this set this to the subscriberId.
subscriberId — This is generated and based on our Business Support Services as Paul mentioned. It is used as the true unique identified for a “subscriber” (user) to the environment, since the environment is MT and users need to be scoped. This was chosen over the default GUID as a unique identifier for a variety of logistical reasons.
key — This is generated by Connections itself during the population process. It is used to define the users profile within the context of Profiles and provides Connections with the ability to associate content with a user when the users LDAP information has been altered. It provides a separation of identity and helps facilitate user content synchronization for Connections.
Unfortunately there isn't a clear cut way to perform that lookup though, especially when you take something like Connections Cloud or Greenhouse into account. They have email disabled for a variety of security reasons. Generally speaking though, the userId is the GUID for the ldap, unless it is very explicitly redefined and configured so, but again you'd really have to know the environment in order to know that information. In a nutshell I think it has to be a configuration parameter for the app per environment if email is disabled.
I have a requirement to implement user privilege elevation in an MVC3 web app, for both Forms and Windows authentication, but this question is critical for Windows auth. This is for a higher privileged user to give assistance to a lower privileged user, e.g. when a clerical user is performing a task and requires an admin user to do a task before the clerical user can continue, the admin user should be able to elevate the same session to their privilege level, perform the admin task, and restore the lower privilege to the session. I don't see a way here without the clerical user logging off and the admin user logging on, given that we want to achieve this on the desktop of the clerical user alone. Maybe user switching is tidier than a whole new session, but I would very much like a "run as" equivalent for Windows authenticated web apps.
Is this even possible, and if so, how can I achieve this? I have no idea where to even begin looking.
Allow the "power user" to temporary set a specific role for other users and for example setting also an expiration of the role with a DateTime.
You could put an anchor somewhere on your site:
#Html.ActionLink("elevate to admin", "SwitchToAdmin", "Home")
and then have a controller action which will allow for inputting the administrator credentials:
public ActionResult SwitchToAdmin()
{
// TODO: Adjust the role name that your administrators will have
if (!User.IsInRole(#"DOMAIN\Administrators"))
{
// The user is not currently an admin => popup a Logon box
// so that the administrator could authenticate himself
return new HttpUnauthorizedResult();
}
else
{
// After inputting the correct username and password for the
// admin, we can now redirect to the home action and start performing
// the admin tasks
return RedirectToAction("index", "home");
}
}
The revert process will be the inverse. You could have a link which will call a controller action that will throw 401 if the user is an admin allowing for the normal user to enter his username and password.
In order to use Windows authentication to do this I think you will need:
The run as command
A shortcut on the user's desktop to start the other logon
Either a batch script to prompt for the user's logon information or a separate desktop program to gather the information (the shortcut points to whichever of these you choose)
once the information for the run as commandline is ready you could either start a browser or perhaps a custom program with an embedded browser.
An advantage of the program with embedded browser approach is that it can have extra security precautions such as forcibly closing itself after a timeout.
Anyway that's one possible solution. You might also try to come up with a less complicated way to solve the business need. Perhaps a remote desktop session for the admin?
The equivalent of the run as command is using user impersonation. That is running the commands that requires higher privileges as another user.
It should work as follows:
1) User try to access privileged resources. The webapp detect this either because it has a kind of table of all task reuiring higher privileges, or by intercepting the security exception it gets trying to perform the operation.
2)When this is detected you throw a "RequiresPrivilegesElevationException"(an exception you have to define). This exception i catched by the controller, that now knows it must prompt the user for higher privileges
3) the controller prompt the user for the admin (or higher privileges user password)
4) when the user send the credentilas (via https) credentials are used to create an impersonation context, and all operations are done within this impersonation context.
The drawback of thos approach is that the credentials and the privilege elevetion last for just one trip to the server...for any other request the user is forced to re insert the credentials. THERE IS NO SAFE WAY TO AVOID THIS due to security browser limitations