Just to ask, if there a way to know load keys from Current User is no user active on target machine. It seems it's hard to get that information remotely, I was able to get registry information only when at least one user is logged on.
You asked not full correct question. Windows is multi-user operation system. So even some interactive user are logged there are other users logged on the computer. Typically it's System (the same as LocalSystem, NT AUTHORITY\SYSTEM), LocalService (the same as NT AUTHORITY\LOCAL SERVICE) and NetworkService (the same as NT AUTHORITY\NETWORK SERVICE). It could be windows services which run under special user accounts and the corresponding user are logged.
If nobody is logged and you see logon screen than Winlogon.exe typically displays it. It runs under System account. You can see as subkeys of HKEY_USERS the hives of users loaded currently on the computer. HKEY_USERS\.DEFAULT or HKEY_USERS\S-1-5-18 (symbolic link to HKEY_USERS\.DEFAULT) corresponds HKEY_CURRENT_USER of System account. The full list of loaded hives can be seen under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.
Related
I created a Twins instance and got a basic example up and running. A few days go by and I launch the Twins Explorer from my dashboard in Azure Portal. The Single Sign on lets me sign on using my Microsoft Account and upon logging in it states:
Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '856....' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
How can I resolve this?
Successful Login After Host Popup with No Changes
As of the writing of this message, and after previous failed attempts, the Twins Dashboard (no settings changed mind you), on the last attempt the Enter Host popup was preseented to me. I was allowed to re-add my host and it worked.
we have a multi-tenant graph app and we are experiencing some unexpected behavior.
When a first user (non-admin and from another tenant) want to connect to the (enterprise) app, he logs in and gets the message 'Need admin approval'. This is normal, as the required permissions demand this.
Let's say the user knows the administrator login/pass, he clicks on 'Have an admin account, Sign in with that account', he logs in as administrator and approves the consent.
But then a code is generated for that administrator account and is posted back to my initial application(website). Resulting in the user having an access token for an administrator (which does not have SPO in our situation thus failing our application).
My very simple question: how can i just consent the app with an administrator account but without the flow posting back a code for that administrator to the redirect-url.
Is this possible?
Thank you
Ok, i think my problem is solved. Upon activating the app in our settings, we can direct the admin to following url:
https://login.microsoftonline.com/(tenantid)/v2.0/adminconsent?client_id=(clientid)&state=12345&redirect_uri=(redirecturl)&scope=(permissions)
We get redirected then like we receive a token, but having the state that also comes in the redirect url we might use it to display another message to the user.
Let's say an application is already running with elevated privileges.
Is it possible for this application to show a UAC prompt and get its result (successfully confirmed or cancelled)?
Background story: I have an application that requires Administrator privileges but runs in a restricted user account, so an UAC prompt is shown at its start, the user enters Administrator credentials to confirm it and everything works fine. However, for some critical actions I'd like to verify that the current user is (still) allowed to do that.
For example, the original user left the workstation without locking his Windows account (yes, the world's not perfect...) and another user open that already running application and accesses some sensitive settings.
You can compare this to an online-shop, where an already logged in user has to provide his credentials again if he wants to change his delivery address.
I understand that I could create a custom prompt, ask for admin account credentials and check if they're valid, but I don't want to touch those credentials at all. Neither do I want to introduce additional application-specific credentials. The UAC prompt would be a nice and native solution to re-verify the user has admin privileges.
Basically something like this:
if VerifyAdminWithUacPrompt then
begin
//critical stuff
end;
A Delphi example would be perfect, but I'm also happy about general ideas how to accomplish this.
Your app does not need to invoke a new UAC prompt, since UAC is already running your app elevated. The app just needs to ask the user for credentials. Windows has APIs for that very purpose: CredUIPromptForCredentials() and CredUIPromptForWindowsCredentials():
The CredUIPromptForCredentials function creates and displays a configurable dialog box that accepts credentials information from a user.
The CredUIPromptForWindowsCredentials function creates and displays a configurable dialog box that allows users to supply credential information by using any credential provider installed on the local computer.
See Asking the User for Credentials on MSDN for more details:
Your application may need to prompt the user for user name and password information to avoid storing an administrator password or to verify that the token holds the appropriate privileges.
However, simply prompting for credentials may train users to supply those to any random, unidentified dialog box that appears on the screen. The following procedure is recommended to reduce that training effect.
To properly acquire user credentials
Inform the user, by using a message that is clearly part of your application, that they will see a dialog box that requests their user name and password. You can also use the CREDUI_INFO structure on the call to CredUIPromptForCredentials to convey identifying data or a message.
Call CredUIPromptForCredentials. Note that the maximum number of characters specified for user name and password information includes the terminating null character.
Call CredUIParseUserName and CredUIConfirmCredentials to verify that you obtained appropriate credentials.
While sharing drive to run Linux containers, Docker comes up with a login prompt. O365 Username is pre-filled AzureAD\(username given in c:\users\<username>).
I tried giving the password I logged in (0365 account). Tried changing username to logged-in username. Nothing works and it immediately goes back to the same AzureAD\<username> and prompts again (3 times)
I had logged in using O365 account. This did not allow me to provide access eventhough it was an admin user. But I had another login which was initially used to setup the windows 10 machine. When I used this login, I was able to provide access.
I am unable to revoke application access by a user via either a password reset or by explicitly clearing app keys in user management. The latter method gives a reply indicating that access has been revoked, but when the user hits the tool, they are not re-prompted to approve access to their information.
There are number of possibilities here:
It's possible that there is latency between the declared revocation of keys and the cleanup task that goes through the database and actually cleans them up; I believe that at one point, such a latency existed, was identified, and fixed through service packs and subsequent releases. Accordingly, you may address this issue by ensuring that your back-end service is up-to-date with its available service packs.
It's possible that what's being revoked is the keys, and the necessity to authenticate to rebuild keys, but not the confirmation step that would appear to the user asking for access permission (assuming the user once authenticated, and checked the "don't prompt me to ask for permission again") dialog.
Can you confirm if the request for user tokens by the client application actually does get back tokens? Or is it just that the authentication step happens with no notice of client confirmation to access?
Note that the re-authentication might appear to happen silently; if the client application's request for user tokens happens through a user's browser context where the back-end service can determine that the user is already logged in to the LMS, then the request for tokens could succeed automatically:
The user is assumed to have already authenticated in order to have an active web session, so there's no need to re-gather a username/password (or whatever user auth step the LMS uses) to re-confirm identity.
The user may already have confirmed access for the application and dismissed the confirmation step with "don't ask me again". If the user has confirmed access with "don't ask me again" this choice will get remembered, even if the user tokens get expired due to password change or access revocation by an admin.
If you explicitly log a user out of their LMS session, and then test the client app, this should indicate to you visibly whether the re-authentication step is actually taking place (the user's browser will then get directed to the login process for the back-end service).
Note that, although a user password change or access revocation by an admin can remove the recorded user Id/Key pair associated with an application, it does not remove the record of the confirmation form having been dismissed with "don't ask again". Currently our system does not expose a way to reset that confirmation state.
If after considering these points you feel you still have an issue, I would encourage you to open a support incident through your organization's approved support contact, or your account or partner manager. Desire2Learn takes security related reports quite seriously, and if you've uncovered an issue that hasn't yet been addressed, I would encourage you to report it as a defect.