I have an application that is running as window service and its running under a valid use account not under default system account ,now my worry is if in future use changes his password for that account will it effect this service??
Thanks
The service will stop working as the user credentials don't match.
Yes.
The password you enter in the service properties must be changed of the user changes his password, so it's a bad idea to run a service under a real live user account.
You can either set it to run on a system account, and grant that account the necessary resources for the service to function, or you can create a pseudo-system account - a user account that is restricted from everything else, except from the service resources.
Yes, if the password is changed for the user account, you need to update the stored password as well.
And to make this answer more programming related, this MSDN article shows you how to do it programmatically: Changing the Password on a Service's User Account
Related
We are creating an app that has a feature to reset their password respectively, since we are using keycloak so that thing will be featured via keycloak page itself, but our client need the forgot password will be provided in the app, so i need to hit the forgot password api like below flow.
App Forgot Password Page > Fill email only and proceed > User receive reset password link > Open link > Keycloak reset password page
But seems that api is not existed in the keycloak.
As far i only found below apis
PUT /{realm}/users/{id}/reset-password (need bearer, not possible since we are unable to use realm account user)
PUT /{realm}/users/{id}/execute-actions-email (don't know how to use it and need bearer, not possible since we are unable to use realm account user)
Any suggestion?
Thank you in advance
Hi there, this is 2021, my solution at this time was by using keycloak library in java service, so the service working as aggregator between my web app to keycloak, and still we are using above apis mentioned that need realm access. Good luck.
You can set required action for the user to UPDATE_PASSWORD and when user tries to log in, they will be prompted with Setting up their password.
Keycloak Admin APIs - UserResource
You can update the user and in the UserRepresentation you can set that required action.
If in Azure portal, I set Enterprise applications > Properties > User assignment required? to No, then authentication works as expected. However, if I turned it on, users get error Application needs permission to access resources in your organization that only an admin can grant. I understand that I need to add an API permission to my app, but what is it?
Interestingly, if a user has signed in into the app before, then they are not affected when turning the option on. Only users who have never use it are affected
Edit: To clarify, I already have App roles created. Users without app roles can't sign in, as expected. Users WITH app roles who sign in for the first time after the the option turned to Yes get the above error
Finally, I reproduce your issue with the request URL below, the scope also could be another one, e.g. https://storage.azure.com/.default, which has been added in the API permissions of the AD App.
https://login.microsoftonline.com/<tenant0id>/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://management.azure.com/.default
&state=12345
If the User assignment required is set to Yes, I notice it will not promote the user to consent the permissions. (e.g. user_impersonation in the Azure Service Management API.)
To fix the issue, we need the admin consent to the App, just navigate to the API permissions, click the Grant the admin consent for xxx button, then it will work fine.
A new iOS app should be able to connect to a web service to sync data across devices.
I like the way the diary app Day One solved this:
On registration the user can choose to use mail address to setup a "real" account or to sign in with his Apple ID
When using the "real" account the mail address has to confirmed and a username and password has to be chosen
When using the Apple ID Sign In no additional steps are needed. The app is connected to the web services using some random user ID
When being installed on a new devices it is no problem to re-connect using the Apple-ID method.
Problem 1: How to access the Apple ID?
As far as I know it is not possible for the app to really to access the Apple-ID. Or is there some undocumented way to do this? How is this possible?
I suspect that the app instead might use iCloud to store some token? The iCloud storage is linked to the Apple-ID, thus when installing on a new devices it would be possible to recover the token from iCloud and use it to reconnect.
Or are there other / better methods?
Problem 2: How to handle the authentication?
Let's set Problem 1 aside and assume that we have solved the problem of creating some cross-device username. How could be handle the authentication?
Solution 1: Only the token (Apple ID / iCloud stored username / etc.) is used for authentication. If a request from the app to the server contains a valid username token access is granted.
Solution 2: In addition to the username token a random password is generated when creating the anonymous account. This could be done on the device or on the server. But since the password has to be known on both ends, it need to be transferred from one end to the other at some point.
2a: Trust in the HTTPS connection and transfer the plain password
2b: Use some other method (e.g. Diffie-Hellman) to agree on a common password
On first sight 2b seems to be the most secure solution but is the really the case? The sync data is not encrypted but "only" trusts in the HTTPS connection. Would it add extra security to transfer the password using another method?
Additionally, does it add extra security to use a "password" at all? This is not a password the user selects for his user selected username but a automatically generated password for a automatically generated username / token.
Would it not be the same to just use the generated username token? Only who has access to the token / Apple ID / iCloud account, etc. can access the web service.
So, which solution is the best? Am I missing something and there are better solutions?
As of iOS 12, Apple provide a SDK for developer to access user Apple ID - with user's consent, obviously. Developer can use AuthenticationService SDK to achieve this. Please read more at the documentation. I'm sure this is how Day One app does what you describe.
Let's say an application is already running with elevated privileges.
Is it possible for this application to show a UAC prompt and get its result (successfully confirmed or cancelled)?
Background story: I have an application that requires Administrator privileges but runs in a restricted user account, so an UAC prompt is shown at its start, the user enters Administrator credentials to confirm it and everything works fine. However, for some critical actions I'd like to verify that the current user is (still) allowed to do that.
For example, the original user left the workstation without locking his Windows account (yes, the world's not perfect...) and another user open that already running application and accesses some sensitive settings.
You can compare this to an online-shop, where an already logged in user has to provide his credentials again if he wants to change his delivery address.
I understand that I could create a custom prompt, ask for admin account credentials and check if they're valid, but I don't want to touch those credentials at all. Neither do I want to introduce additional application-specific credentials. The UAC prompt would be a nice and native solution to re-verify the user has admin privileges.
Basically something like this:
if VerifyAdminWithUacPrompt then
begin
//critical stuff
end;
A Delphi example would be perfect, but I'm also happy about general ideas how to accomplish this.
Your app does not need to invoke a new UAC prompt, since UAC is already running your app elevated. The app just needs to ask the user for credentials. Windows has APIs for that very purpose: CredUIPromptForCredentials() and CredUIPromptForWindowsCredentials():
The CredUIPromptForCredentials function creates and displays a configurable dialog box that accepts credentials information from a user.
The CredUIPromptForWindowsCredentials function creates and displays a configurable dialog box that allows users to supply credential information by using any credential provider installed on the local computer.
See Asking the User for Credentials on MSDN for more details:
Your application may need to prompt the user for user name and password information to avoid storing an administrator password or to verify that the token holds the appropriate privileges.
However, simply prompting for credentials may train users to supply those to any random, unidentified dialog box that appears on the screen. The following procedure is recommended to reduce that training effect.
To properly acquire user credentials
Inform the user, by using a message that is clearly part of your application, that they will see a dialog box that requests their user name and password. You can also use the CREDUI_INFO structure on the call to CredUIPromptForCredentials to convey identifying data or a message.
Call CredUIPromptForCredentials. Note that the maximum number of characters specified for user name and password information includes the terminating null character.
Call CredUIParseUserName and CredUIConfirmCredentials to verify that you obtained appropriate credentials.
I took over a Rails app and am trying to get the Salesforce.com API credentials set up for my user account.
I'm set as a system admin with "Developer Mode" on (though I have no clue what that does, I just saw it set on the previous account.)
We have a sandbox. I click the login link on it, enter my sandbox username (email#domain.com.sandbox), enter my password, and get "Login attempt has failed".
I know my password is okay since I've logged into the production site several times. Using different domains (test.salesforce.com, etc) doesn't help either.
Edit to clarify where I'm stuck:
I'm logged into the production site and under "my sandboxes" there's a login link next to each sandbox which takes you to the correct server and pre-fills your sandbox username.
So, my issues are with that, getting logged into the sandbox web interface.
I do understand the security tokens and have my production API stuff set up, but I'd rather try my changes out on the sandbox first! From the examples I've seen, the sandbox security tokens are different, so I'm trying to log into the sandbox web interface for that.
My user account was created after the sandbox. So, it wasn't in the sandbox.
A sandbox refresh added my account into the sandbox.
Pretty basic mistake.
You won't be able to login from https://login.salesforce.com that's only for production.
You're correct to use the sandbox instance https://test.salesforce.com (or https://cs1.salesforce.com, https://cs2.salesforce.com, etc.)
I'm sure you figured out email#domain.com is your regular username, but the "sandbox" part is the actual name of your sandbox. So if you named your sandbox as "sbx" you would login as joe#example.com.sbx
If that doesn't work, go to your production organization where you can login. Navigate to Setup -> Data Management -> Sandbox and then click the Login button next to the sandbox you wish you login to.
Firstly - having developer mode on just offers you a subtly different view of Pages, making it easier to write your force.com solutions (it splits the View with the Controller) but this is not affecting your login issues:
I'm not 100% clear whether you are failing to log into your sandbox's website, or whether you are failing to connect via the API.
If you cannot use your production password on the sandbox, you will need to get someone who is an admin on that sandbox to reset your password for you.
If you can use your production password to log into the sandbox, but cannot use it to hook up to the API, then this is the problem:
Salesforce.com trusts users that come through the web UI; However, in order to log in to the API, you need to append an extra bit of user information to your password - this is your Security token.
You can reset this in Setup...My Personal Information... Reset MY Security Token
the token will get emailed to you - it will be some obscure alpha-numeric token. Copy this and paste it to the end of your password. For example if your password was 'arthur', and the token was ABC123def, the credentials to pass through would be:
login: email#domain.com.sandbox
password: arthurABC123def