Search Results

Search found 180 results on 8 pages for 'impersonate'.

Page 2/8 | < Previous Page | 1 2 3 4 5 6 7 8  | Next Page >

  • WCF Web Services - Multiple Hop impersonation on the same server

    - by Lerxst
    Hi Folks I have 3 web services, all located on the same server. My Client calls Service A, which impersonates the client to call Service B, and all is well. Now, I want to impersonate the caller of service B (which is my username) to call Service C. When I use the same technique as before (AllowedImpersonationLevel = Impersonate, user.Impersonate()), The user doesnt get passed to service C. Instead, Service C sees the user as the user I am running it under in IIS. Is there anything special I need to do to get this working? Is this a delegation issue? (I thought it would not be delegation because they are all on the same server) Thanks SO!

    Read the article

  • Non-unique display names?

    - by Davy8
    I know of at least big title game (Starcraft II) that doesn't require unique display names, so it would seem like it can work in at least some circumstance. Under what situations does allowing non-unique display names work well? When does it not work well? Does it come down to whether or not impersonation of someone else is a problem? The reasons I believe it works for Starcraft II is that there isn't any kind of in-game trading of virtual goods and other than "for kicks" there isn't much incentive to impersonate someone else in the game. There's also ladder rankings so even trying to impersonate a pro is easily detectable unless you're on a similar skill level. What are some other cases where it makes sense to specifically allow or disallow duplicate display names? (I have no idea what to tag this as. I went with game-design because I needed at least 1 tag and I don't have rep to create new ones yet.)

    Read the article

  • What are the pros and cons of non-unique display names?

    - by Davy8
    I know of at least big title game (Starcraft II) that doesn't require unique display names, so it would seem like it can work in at least some circumstance. Under what situations does allowing non-unique display names work well? When does it not work well? Does it come down to whether or not impersonation of someone else is a problem? The reasons I believe it works for Starcraft II is that there isn't any kind of in-game trading of virtual goods and other than "for kicks" there isn't much incentive to impersonate someone else in the game. There's also ladder rankings so even trying to impersonate a pro is easily detectable unless you're on a similar skill level. What are some other cases where it makes sense to specifically allow or disallow duplicate display names?

    Read the article

  • PrinterSettings.IsValid always returning false

    - by Jarrod
    In our code, we have to give the users a list of printers to choose from. The user then chooses a printer and it is checked to verify it is valid before printing. On a windows 2003 server with IIS 6, this works fine. On a windows 2008 server with IIS 7, it fails each time impersonate is set to true. PrinterSettings printerSetting = new PrinterSettings(); printerSetting.PrinterName = ddlPrinterName.SelectedItem.Text; if (!printerSetting.IsValid) { lblMsg.Text = "Server Printer is not valid."; } else { lblMsg.Text = "Success"; } Each time this code is run, the "Server Printer is not valid" displays, only if impersonate is set to true. If impersonate is set to false, the success message is displayed. The impersonation user has full rights to the printer. Is there a way to catch the actual reason the printer is not valid? Is there some other 2008 setting I should check?

    Read the article

  • Windows XP Domain Logon takes between 40 - 60 minutes

    - by Bryan
    Windows XP Clients, fully patched, with Symantec Endpoint Protection 11 client Windows 2008 R2 domain Roaming profiles Folder Redirection applied to Documents, AppData & Desktop I've enabled userenv logging, and logged on just after 17:00 last night. The user shell hadn't appeared at 17:45 when I left last night. When I arrived this morning, I checked the log file and found the following. USERENV(3f8.e7c) 17:02:18:296 LogExtSessionStatus: Successfully logged Extension Session data USERENV(654.a30) 17:04:09:468 ImpersonateUser: Failed to impersonate user with 5. USERENV(654.a30) 17:04:09:468 GetUserNameAndDomain Failed to impersonate user USERENV(654.a30) 17:04:09:468 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available. USERENV(c8c.cb8) 17:04:09:781 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(cd0.cd4) 17:04:10:781 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(d08.c84) 17:07:09:609 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(cbc.cc0) 17:07:10:625 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\luall.exe USERENV(db0.db4) 17:07:10:781 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(e00.e0c) 17:07:11:062 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(e20.e34) 17:07:11:203 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(e40.e50) 17:07:11:406 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(efc.54c) 17:07:11:656 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(ccc.df0) 17:08:45:687 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(e24.e20) 17:08:45:937 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\luall.exe USERENV(ff0.ff4) 17:08:46:078 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(32c.cd0) 17:08:46:265 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(cc4.3d4) 17:08:46:406 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(434.4d0) 17:08:46:593 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(f2c.ac) 17:08:46:828 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(d60.d7c) 17:09:40:265 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(d94.d98) 17:09:40:531 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(bc4.3c4) 17:10:52:765 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(37c.90c) 17:10:52:984 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\luall.exe USERENV(580.540) 17:10:53:109 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(c18.c30) 17:10:53:312 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(c44.288) 17:10:53:468 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(a34.cf4) 17:10:53:656 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(d3c.d4c) 17:10:53:890 LibMain: Process Name: C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe USERENV(970.948) 17:15:09:468 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(150.9dc) 17:15:09:734 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(f90.cec) 17:20:38:718 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(d8c.d70) 17:20:38:984 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(9a0.fa0) 17:26:07:953 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(844.51c) 17:26:08:218 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(d00.9ac) 17:31:19:453 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(ad4.624) 17:31:19:718 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(654.694) 17:31:46:390 ImpersonateUser: Failed to impersonate user with 5. USERENV(654.694) 17:31:46:390 GetUserNameAndDomain Failed to impersonate user USERENV(654.694) 17:31:46:390 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available. USERENV(af8.610) 17:36:48:625 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(aa4.dfc) 17:36:48:906 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(2dc.5c8) 17:42:17:812 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(f70.8ac) 17:42:18:078 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(d50.c30) 17:47:47:062 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(c2c.c3c) 17:47:47:328 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(ef0.4cc) 17:53:16:234 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(cd4.c84) 17:53:16:500 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE USERENV(828.8c4) 17:58:45:484 LibMain: Process Name: C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe USERENV(a24.b30) 17:58:45:750 LibMain: Process Name: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE I've seen posts suggesting that it may be Windows Desktop Search 3.01 that is causing this, so I've removed that. I've removed the policy, 'Always wait for the network at startup or logon', thinking that might have helped. I'm running out of ideas. Has anyone seen this before?

    Read the article

  • How can I launch an application as Administrator after a WiX MSI has completed?

    - by ray dey
    Hi there I want to launch an application with admin rights after I have completed an installation using a WiX based MSI. I can launch the application just fine, on XP but with Windows 7, it's an issue. The application has a manifest embedded in it that says it should run as administrator and I've changed the impersonate attribute in the Custom Action to "no". I can't change the execute attribute to deferred, as this only works before the InstallFinalize action and I need it after the user has clicked Finish in the MSI. This is my Custom Action: <CustomAction Id="LaunchApp" FileKey="App" ExeCommand="[Command Line Args]" Execute="immediate" Impersonate="no" Return="asyncNoWait" /> Any help on this would be appreciated. Thanks

    Read the article

  • asp.net impersonation identity: Where does it come from?

    - by Rising Star
    Here's a simple question I've been stuck on for a while. When I set < identity impersonate=true > in my web.config so that asp.net impersonates the logged on user automatically (or the anonymous account if not using Windows Authentication), where does the identity that asp.net impersonates come from? This document: http://msdn.microsoft.com/en-us/library/ff649264.aspx shows three places you can retrieve information about the logged on user: Httpcontext.Current.user System.Threading.Thread.Current System.Security.Principal.WindowsIdentity.GetCurrent It seems that none of these locations consistently match the identity that gets impersonated when I set < identity impersonate=true > in web.config. I would like to know where the impersonated identity comes from.

    Read the article

  • Enabling Kerberos Authentication for Reporting Services

    - by robcarrol
    Recently, I’ve helped several customers with Kerberos authentication problems with Reporting Services and Analysis Services, so I’ve decided to write this blog post and pull together some useful resources in one place (there are 2 whitepapers in particular that I found invaluable configuring Kerberos authentication, and these can be found in the references section at the bottom of this post). In most of these cases, the problem has manifested itself with the Login failed for User ‘NT Authority\Anonymous’ (“double-hop”) error. By default, Reporting Services uses Windows Integrated Authentication, which includes the Kerberos and NTLM protocols for network authentication. Additionally, Windows Integrated Authentication includes the negotiate security header, which prompts the client to select Kerberos or NTLM for authentication. The client can access reports which have the appropriate permissions by using Kerberos for authentication. Servers that use Kerberos authentication can impersonate those clients and use their security context to access network resources. You can configure Reporting Services to use both Kerberos and NTLM authentication; however this may lead to a failure to authenticate. With negotiate, if Kerberos cannot be used, the authentication method will default to NTLM. When negotiate is enabled, the Kerberos protocol is always used except when: Clients/servers that are involved in the authentication process cannot use Kerberos. The client does not provide the information necessary to use Kerberos. An in-depth discussion of Kerberos authentication is beyond the scope of this post, however when users execute reports that are configured to use Windows Integrated Authentication, their logon credentials are passed from the report server to the server hosting the data source. Delegation needs to be set on the report server and Service Principle Names (SPNs) set for the relevant services. When a user processes a report, the request must go through a Web server on its way to a database server for processing. Kerberos authentication enables the Web server to request a service ticket from the domain controller; impersonate the client when passing the request to the database server; and then restrict the request based on the user’s permissions. Each time a server is required to pass the request to another server, the same process must be used. Kerberos authentication is supported in both native and SharePoint integrated mode, but I’ll focus on native mode for the purpose of this post (I’ll explain configuring SharePoint integrated mode and Kerberos authentication in a future post). Configuring Kerberos avoids the authentication failures due to double-hop issues. These double-hop errors occur when a users windows domain credentials can’t be passed to another server to complete the user’s request. In the case of my customers, users were executing Reporting Services reports that were configured to query Analysis Services cubes on a separate machine using Windows Integrated security. The double-hop issue occurs as NTLM credentials are valid for only one network hop, subsequent hops result in anonymous authentication. The client attempts to connect to the report server by making a request from a browser (or some other application), and the connection process begins with authentication. With NTLM authentication, client credentials are presented to Computer 2. However Computer 2 can’t use the same credentials to access Computer 3 (so we get the Anonymous login error). To access Computer 3 it is necessary to configure the connection string with stored credentials, which is what a number of customers I have worked with have done to workaround the double-hop authentication error. However, to get the benefits of Windows Integrated security, a better solution is to enable Kerberos authentication. Again, the connection process begins with authentication. With Kerberos authentication, the client and the server must demonstrate to one another that they are genuine, at which point authentication is successful and a secure client/server session is established. In the illustration above, the tiers represent the following: Client tier (computer 1): The client computer from which an application makes a request. Middle tier (computer 2): The Web server or farm where the client’s request is directed. Both the SharePoint and Reporting Services server(s) comprise the middle tier (but we’re only concentrating on native deployments just now). Back end tier (computer 3): The Database/Analysis Services server/Cluster where the requested data is stored. In order to enable Kerberos authentication for Reporting Services it’s necessary to configure the relevant SPNs, configure trust for delegation for server accounts, configure Kerberos with full delegation and configure the authentication types for Reporting Services. Service Principle Names (SPNs) are unique identifiers for services and identify the account’s type of service. If an SPN is not configured for a service, a client account will be unable to authenticate to the servers using Kerberos. You need to be a domain administrator to add an SPN, which can be added using the SetSPN utility. For Reporting Services in native mode, the following SPNs need to be registered --SQL Server Service SETSPN -S mssqlsvc/servername:1433 Domain\SQL For named instances, or if the default instance is running under a different port, then the specific port number should be used. --Reporting Services Service SETSPN -S http/servername Domain\SSRS SETSPN -S http/servername.domain.com Domain\SSRS The SPN should be set for the NETBIOS name of the server and the FQDN. If you access the reports using a host header or DNS alias, then that should also be registered SETSPN -S http/www.reports.com Domain\SSRS --Analysis Services Service SETSPN -S msolapsvc.3/servername Domain\SSAS Next, you need to configure trust for delegation, which refers to enabling a computer to impersonate an authenticated user to services on another computer: Location Description Client 1. The requesting application must support the Kerberos authentication protocol. 2. The user account making the request must be configured on the domain controller. Confirm that the following option is not selected: Account is sensitive and cannot be delegated. Servers 1. The service accounts must be trusted for delegation on the domain controller. 2. The service accounts must have SPNs registered on the domain controller. If the service account is a domain user account, the domain administrator must register the SPNs. In Active Directory Users and Computers, verify that the domain user accounts used to access reports have been configured for delegation (the ‘Account is sensitive and cannot be delegated’ option should not be selected): We then need to configure the Reporting Services service account and computer to use Kerberos with full delegation:   We also need to do the same for the SQL Server or Analysis Services service accounts and computers (depending on what type of data source you are connecting to in your reports). Finally, and this is the part that sometimes gets over-looked, we need to configure the authentication type correctly for reporting services to use Kerberos authentication. This is configured in the Authentication section of the RSReportServer.config file on the report server. <Authentication> <AuthenticationTypes>           <RSWindowsNegotiate/> </AuthenticationTypes> <EnableAuthPersistence>true</EnableAuthPersistence> </Authentication> This will enable Kerberos authentication for Internet Explorer. For other browsers, see the link below. The report server instance must be restarted for these changes to take effect. Once these changes have been made, all that’s left to do is test to make sure Kerberos authentication is working properly by running a report from report manager that is configured to use Windows Integrated authentication (either connecting to Analysis Services or SQL Server back-end). Resources: Manage Kerberos Authentication Issues in a Reporting Services Environment http://download.microsoft.com/download/B/E/1/BE1AABB3-6ED8-4C3C-AF91-448AB733B1AF/SSRSKerberos.docx Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23176 How to: Configure Windows Authentication in Reporting Services http://msdn.microsoft.com/en-us/library/cc281253.aspx RSReportServer Configuration File http://msdn.microsoft.com/en-us/library/ms157273.aspx#Authentication Planning for Browser Support http://msdn.microsoft.com/en-us/library/ms156511.aspx

    Read the article

  • SQL SERVER – Importance of User Without Login – T-SQL Demo Script

    - by pinaldave
    Earlier I wrote a blog post about SQL SERVER – Importance of User Without Login and my friend and SQL Expert Vinod Kumar has written excellent follow up blog post about Contained Databases inside SQL Server 2012. Now lots of people asked me if I can also explain the same concept again so here is the small demonstration for it. Let me show you how login without user can help. Before we continue on this subject I strongly recommend that you read my earlier blog post here. In following demo I am going to demonstrate following situation. Login using the System Admin account Create a user without login Checking Access Impersonate the user without login Checking Access Revert Impersonation Give Permission to user without login Impersonate the user without login Checking Access Revert Impersonation Clean up USE [AdventureWorks2012] GO -- Step 1 : Login using the SA -- Step 2 : Create Login Less User CREATE USER [testguest] 9ITHOUT LOGIN WITH DEFAULT_SCHEMA=[dbo] GO -- Step 3 : Checking access to Tables SELECT * FROM sys.tables; -- Step 4 : Changing the execution contest EXECUTE AS USER   = 'testguest'; GO -- Step 5 : Checking access to Tables SELECT * FROM sys.tables; GO -- Step 6 : Reverting Permissions REVERT; -- Step 7 : Giving more Permissions to testguest user GRANT SELECT ON [dbo].[ErrorLog] TO [testguest]; GRANT SELECT ON [dbo].[DatabaseLog] TO [testguest]; GO -- Step 8 : Changing the execution contest EXECUTE AS USER   = 'testguest'; GO -- Step 9 : Checking access to Tables SELECT * FROM sys.tables; GO -- Step 10 : Reverting Permissions REVERT; GO -- Step 11: Clean up DROP USER [testguest]Step 3 GO Here is the step 9 we will be able to notice that how a user without login gets access to some of the data/object which we gave permission. What I am going to prove with this example? Well there can be different rights with different account. Once the login is authenticated it makes sense for impersonating a user with only necessary permissions to be used for further operation. Again this is very basic and fundamental example. There are lots of more points to be discussed as we go in future posts. Just do not take this blog post as a template and implement everything as it is. Reference: Pinal Dave (http://blog.sqlauthority.com) Filed under: PostADay, SQL, SQL Authority, SQL Query, SQL Security, SQL Server, SQL Tips and Tricks, T SQL, Technology

    Read the article

  • Sesame update du jour: SL 4, OOB, Azure, and proxy support

    - by Fabrice Marguerie
    I've just published a new version of Sesame Data Browser. Here's what's new this time: Upgraded to Silverlight 4 Can run out-of-browser (OOB), with elevated permissions. This gives you an icon on your desktop and enables new scenarios. Note: The application is unsigned for the moment. Support for Windows Azure authentication Support for SQL Azure authentication If you are behind a proxy that requires authentication, just give Sesame a new try after clicking on "If you are behind a proxy that requires authentication, please click here" An icon and a button for closing connections are now displayed on connection tabsSome less visible improvements Here is the connection view with anonymous access: If you want to access Windows Azure tables as OData, all you have to do is use your table storage endpoint as the URL, and provide your access key: A Windows Azure table storage address looks like this: http://<your account>.table.core.windows.net/ If you want to browse your SQL Azure databases with Sesame, you have to enable OData support for them at https://www.sqlazurelabs.com/ConfigOData.aspx. I won't show how it works because it's already been done in several places over the Web. Here are pointers: OData.org: Got SQL Azure? Then you've got OData OakLeaf Systems: Enabling and Using the OData Protocol with SQL Azure Patrick Verbruggen: Creating an OData feed for your Azure databases Shawn Wildermuth: SQL Azure's OData Support Jack Greenfield: How to Use OData for SQL Azure with AppFabric Access Control You can choose to enable anonymous access or not. When you don't enable anonymous access, you have to provide an Issuer name and a Secret key, and optionally an Security Token Service (STS) endpoint: Excerpt from Jack Greenfield's blog: To enable OData access to the currently selected database, check the box labeled "Enable OData". When OData access is enabled, database user mapping information is displayed at the bottom of the form.Use the drop down list labeled "Anonymous Access User" to select an anonymous access user. If an anonymous access user is selected, then all queries against the database presented without credentials will execute by impersonating that user. You can access the database as the anonymous user by clicking on the link provided at the bottom of the page. If no anonymous access user is selected, then the OData Service will not allow anonymous access to the database.Click the link labeled "Add User" to add a user for authenticated access. In the pop up panel, select the user from the drop down list. Leave the issuer name empty for simple authentication, or provide the name of a trusted Security Token Service (STS) for federated authentication. For example, to federate with another ACS based STS, provide the base URI for the STS endpoint displayed by the Windows Azure AppFabric Portal for the STS.Click the "OK" button to complete the configuration process and dismiss the pop up panel. When one or more authenticated access users are added, the OData Service will impersonate them when appropriate credentials are presented. You can designate as many authenticated access users as you like. The OData Service will decide which one to impersonate for each query by inspecting the credentials presented with the query.Next time I'll give an overview of how Sesame Data Browser is built.In the meantime, happy data browsing!

    Read the article

  • Why can a local root turn into any LDAP user?

    - by Daniel Gollás
    I know this has been asked here before, but I am not satisfied with the answers and don't know if it's ok to revive and hijack an older question. We have workstations that authenticate users on an LDAP server. However, the local root user can su into any LDAP user without needing a password. From my perspective this sounds like a huge security problem that I would hope could be avoided at the server level. I can imagine the following scenario where a user can impersonate another and don't know how to prevent it: UserA has limited permissions, but can log into a company workstation using their LDAP password. They can cat /etc/ldap.conf and figure out the LDAP server's address and can ifconfig to check out their own IP address. (This is just an example of how to get the LDAP address, I don't think that is usually a secret and obscurity is not hard to overcome) UserA takes out their own personal laptop, configures authentication and network interfaces to match the company workstation and plugs in the network cable from the workstation to their laptop, boots and logs in as local root (it's his laptop, so he has local root) As root, they su into any other user on LDAP that may or may not have more permissions (without needing a password!), but at the very least, they can impersonate that user without any problem. The other answers on here say that this is normal UNIX behavior, but it sounds really insecure. Can the impersonated user act as that user on an NFS mount for example? (the laptop even has the same IP address). I know they won't be able to act as root on a remote machine, but they can still be any other user they want! There must be a way to prevent this on the LDAP server level right? Or maybe at the NFS server level? Is there some part of the process that I'm missing that actually prevents this? Thanks!!

    Read the article

  • Authenticated User Impersonation in Classic ASP under IIS7

    - by user52663
    I've recently moved one of our servers from Server 2003 and IIS6 to Server 2008 R2 and IIS7 (technically IIS7.5 I suppose). In doing so I am transitioning a small account management tool written in classic ASP and have run into a problem with user impersonation. Extensive searching hasn't been much help so far. Under IIS6, the site was configured to impersonate the logged-in user. Thus, if a domain admin logged in, he was able to run commands to create user directories, adjust permissions, etc. Using Procmon you can see the processes executing as that user. This worked fine. However, with the same code under IIS7, I am unable to get this behavior. I have enabled Basic Authentication, disabled Anonymous Auth, enabled impersonation and have changed the app pool to classic instead of integrated pipelining. Everything seems to be configured correctly, however, all the processes launched by the classic ASP site continue to run as the default AppPool identity and not the logged-in user. If it matters, programs are being launched with code such as: set Wsh = Server.CreateObject("WScript.Shell") Wsh.Run("cmd.exe /C mkdir D:\users\foo") Monitoring via Procmon shows cmd.exe being run as either "Classic .NET AppPool" or "DefaultAppPool" depending on the pipeline mode. Any suggestions on how to get the classic ASP site to impersonate and execute as the authenticated user would be great. Thanks!

    Read the article

  • IIS WebServer CreatesNew file: OwnerShip?

    - by Beaud.
    IIS is configured for Integrated Windows Authentication. web.config is configured as follows: <authentication mode="Windows" /> <identity impersonate="true" /> We are Load balancing between \webserver1 and \webserver2. Windows Server 2003 \\webserverX creates a XML file to \\share1 and access is denied. We got pass through access denial by allowing Everyon to access the share... We would like to have the impersonated user to be the owner of the created file. Instead, \\webserver1's computer account is the owner. How can we make sure that the impersonated user has ownership of the file at creation time? PROGRESSION: I decided to create the file locally on \\webserver1's root directory. File's ownership is NETWORK SERVICES even if impersonate="true". I'm unable to change ownership of the file in C# code. Why when creating a file, IIS won't use the impersonated user's write permissions? If it actually does, what I am doing wrong?

    Read the article

  • Failure with LogonUser in MC++

    - by Alikar
    After fighting with this for a week I have not really gotten anywhere in why it constantly fails in my code, but not in other examples. My code, which while it compiles, will not log into a user that I know has the correct login information. Where it fails is the following line: wi = gcnew WindowsIdentity(token); It fails here because the token is zero, meaning that it was never set to a user token. Here is my full code: #ifndef UNCAPI_H #define UNCAPI_H #include <windows.h> #pragma once using namespace System; using namespace System::Runtime::InteropServices; using namespace System::Security::Principal; using namespace System::Security::Permissions; namespace UNCAPI { public ref class UNCAccess { public: //bool Logon(String ^_srUsername, String ^_srDomain, String ^_srPassword); [PermissionSetAttribute(SecurityAction::Demand, Name = "FullTrust")] bool Logon(String ^_srUsername, String ^_srDomain, String ^_srPassword) { bool bSuccess = false; token = IntPtr(0); bSuccess = LogonUser(_srUsername, _srDomain, _srPassword, 8, 0, &tokenHandle); if(bSuccess) { wi = gcnew WindowsIdentity(token); wic = wi->Impersonate(); } return bSuccess; } void UNCAccess::Logoff() { if (wic != nullptr ) { wic->Undo(); } CloseHandle((int*)token.ToPointer()); } private: [DllImport("advapi32.dll", SetLastError=true)]//[DllImport("advapi32.DLL", EntryPoint="LogonUserW", SetLastError=true, CharSet=CharSet::Unicode, ExactSpelling=true, CallingConvention=CallingConvention::StdCall)] bool static LogonUser(String ^lpszUsername, String ^lpszDomain, String ^lpszPassword, int dwLogonType, int dwLogonProvider, IntPtr *phToken); [DllImport("KERNEL32.DLL", EntryPoint="CloseHandle", SetLastError=true, CharSet=CharSet::Unicode, ExactSpelling=true, CallingConvention=CallingConvention::StdCall)] bool static CloseHandle(int *handle); IntPtr token; WindowsIdentity ^wi; WindowsImpersonationContext ^wic; };// End of Class UNCAccess }// End of Name Space #endif UNCAPI_H Now using this slightly modified example from Microsoft I was able to get a login and a token: #using <mscorlib.dll> #using <System.dll> using namespace System; using namespace System::Runtime::InteropServices; using namespace System::Security::Principal; using namespace System::Security::Permissions; [assembly:SecurityPermissionAttribute(SecurityAction::RequestMinimum, UnmanagedCode=true)] [assembly:PermissionSetAttribute(SecurityAction::RequestMinimum, Name = "FullTrust")]; [DllImport("advapi32.dll", SetLastError=true)] bool LogonUser(String^ lpszUsername, String^ lpszDomain, String^ lpszPassword, int dwLogonType, int dwLogonProvider, IntPtr* phToken); [DllImport("kernel32.dll", CharSet=System::Runtime::InteropServices::CharSet::Auto)] int FormatMessage(int dwFlags, IntPtr* lpSource, int dwMessageId, int dwLanguageId, String^ lpBuffer, int nSize, IntPtr *Arguments); [DllImport("kernel32.dll", CharSet=CharSet::Auto)] bool CloseHandle(IntPtr handle); [DllImport("advapi32.dll", CharSet=CharSet::Auto, SetLastError=true)] bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, IntPtr* DuplicateTokenHandle); // GetErrorMessage formats and returns an error message // corresponding to the input errorCode. String^ GetErrorMessage(int errorCode) { int FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100; int FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200; int FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000; //int errorCode = 0x5; //ERROR_ACCESS_DENIED //throw new System.ComponentModel.Win32Exception(errorCode); int messageSize = 255; String^ lpMsgBuf = ""; int dwFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS; IntPtr ptrlpSource = IntPtr::Zero; IntPtr prtArguments = IntPtr::Zero; int retVal = FormatMessage(dwFlags, &ptrlpSource, errorCode, 0, lpMsgBuf, messageSize, &prtArguments); if (0 == retVal) { throw gcnew Exception(String::Format( "Failed to format message for error code {0}. ", errorCode)); } return lpMsgBuf; } // Test harness. // If you incorporate this code into a DLL, be sure to demand FullTrust. [PermissionSetAttribute(SecurityAction::Demand, Name = "FullTrust")] int main() { IntPtr tokenHandle = IntPtr(0); IntPtr dupeTokenHandle = IntPtr(0); try { String^ userName; String^ domainName; // Get the user token for the specified user, domain, and password using the // unmanaged LogonUser method. // The local machine name can be used for the domain name to impersonate a user on this machine. Console::Write("Enter the name of the domain on which to log on: "); domainName = Console::ReadLine(); Console::Write("Enter the login of a user on {0} that you wish to impersonate: ", domainName); userName = Console::ReadLine(); Console::Write("Enter the password for {0}: ", userName); const int LOGON32_PROVIDER_DEFAULT = 0; //This parameter causes LogonUser to create a primary token. const int LOGON32_LOGON_INTERACTIVE = 2; const int SecurityImpersonation = 2; tokenHandle = IntPtr::Zero; dupeTokenHandle = IntPtr::Zero; // Call LogonUser to obtain a handle to an access token. bool returnValue = LogonUser(userName, domainName, Console::ReadLine(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &tokenHandle); Console::WriteLine("LogonUser called."); if (false == returnValue) { int ret = Marshal::GetLastWin32Error(); Console::WriteLine("LogonUser failed with error code : {0}", ret); Console::WriteLine("\nError: [{0}] {1}\n", ret, GetErrorMessage(ret)); int errorCode = 0x5; //ERROR_ACCESS_DENIED throw gcnew System::ComponentModel::Win32Exception(errorCode); } Console::WriteLine("Did LogonUser Succeed? {0}", (returnValue?"Yes":"No")); Console::WriteLine("Value of Windows NT token: {0}", tokenHandle); // Check the identity. Console::WriteLine("Before impersonation: {0}", WindowsIdentity::GetCurrent()->Name); bool retVal = DuplicateToken(tokenHandle, SecurityImpersonation, &dupeTokenHandle); if (false == retVal) { CloseHandle(tokenHandle); Console::WriteLine("Exception thrown in trying to duplicate token."); return -1; } // The token that is passed to the following constructor must // be a primary token in order to use it for impersonation. WindowsIdentity^ newId = gcnew WindowsIdentity(dupeTokenHandle); WindowsImpersonationContext^ impersonatedUser = newId->Impersonate(); // Check the identity. Console::WriteLine("After impersonation: {0}", WindowsIdentity::GetCurrent()->Name); // Stop impersonating the user. impersonatedUser->Undo(); // Check the identity. Console::WriteLine("After Undo: {0}", WindowsIdentity::GetCurrent()->Name); // Free the tokens. if (tokenHandle != IntPtr::Zero) CloseHandle(tokenHandle); if (dupeTokenHandle != IntPtr::Zero) CloseHandle(dupeTokenHandle); } catch(Exception^ ex) { Console::WriteLine("Exception occurred. {0}", ex->Message); } Console::ReadLine(); }// end of function Why should Microsoft's code succeed, where mine fails?

    Read the article

  • Lucene.net create+lock errors in ASP.NET

    - by acidzombie24
    I have an issue with Lucene.net. It throws a lock exception. After poking around i notice these things. My code below works in an app bit when calling in Application_Start i get a NoSuchDirectoryException. Not closing the writer (as my code doesnt do below) i WILL get a LockObtainFailedException with the message Lock obtain timed out: SimpleFSLock@<FULL_PATH> from either app or asp.net These thread hinted when spawning threads they get less permissions then i do (but! my main thread has problems as well...) and one solution is to impersonate IIS. I am using visual studios 2010. I am not sure how full blown it is but my attempt to impersonate it failed. So my question is how do i have lucene create the directory and not throw an exception if dont close the writer for some reason (such as power going out)? http://stackoverflow.com/questions/2341163/why-is-my-lucene-index-getting-locked/2499285#2499285 http://stackoverflow.com/questions/1123517/lucene-net-and-i-o-threading-issue/1123981#1123981 static IndexWriter writer = null; static void lucene_init() { bool create = false; string dirname = "LuceneIndex_z"; if (System.IO.Directory.Exists(dirname) == false) create = true; var directory = FSDirectory.GetDirectory(dirname); var analyzer = new StandardAnalyzer(); writer = new IndexWriter(directory, analyzer, create); }

    Read the article

  • Lucene.net create+lock errors in ASP.NET

    - by acidzombie24
    I have an issue with Lucene.net. It throws a lock exception. After poking around i notice these things. My code below works in an app bit when calling in Application_Start i get a NoSuchDirectoryException. Not closing the writer (as my code doesnt do below) i WILL get a LockObtainFailedException with the message Lock obtain timed out: SimpleFSLock@<FULL_PATH> from either app or asp.net These thread hinted when spawning threads they get less permissions then i do (but! my main thread has problems as well...) and one solution is to impersonate IIS. I am using visual studios 2010. I am not sure how full blown it is but my attempt to impersonate it failed. So my question is how do i have lucene create the directory and not throw an exception if dont close the writer for some reason (such as power going out)? http://stackoverflow.com/questions/2341163/why-is-my-lucene-index-getting-locked/2499285#2499285 http://stackoverflow.com/questions/1123517/lucene-net-and-i-o-threading-issue/1123981#1123981 static IndexWriter writer = null; static void lucene_init() { bool create = false; //I now use a full path. I still get NoSuchDirectoryException //string dirname = "LuceneIndex_z"; if (System.IO.Directory.Exists(dirname) == false) create = true; var directory = FSDirectory.GetDirectory(dirname); var analyzer = new StandardAnalyzer(); writer = new IndexWriter(directory, analyzer, create); }

    Read the article

  • IIS 7.5 What am I doing wrong?

    - by chugh97
    In IIS 7.5 under Windows 7 Utilmate, I have an application which is configured for authentication as follows: Anonymous & Windows In the ASP.NET Website, I have turned Forms authentication and identity impersonate = true I also deny any anonymous users. <authentication mode="Forms"> </authentication> <identity impersonate="true"/> <authorization> <deny user="?"> </authorization> IIS complains. What am I doing wrong... What I want to achieve :I want the windows Logged On User so I can build a FormsAuthentication ticket and pass it to a Passive STS. So in IIS I have anonymous and windows...If have only windows ticked, I cannot go onto the Login.aspx page as I have an extra parameter to be passed from there. So now in webconfig, I then disable anonymous users by saying deny user="?" , so it leaves me with the authenticated windows user but using Forms Authentication.You know what I mean??

    Read the article

  • Accessing a file on a network drive

    - by Rekreativc
    Hello. Background: I have an application that has to read from files on a network drive (Z:) This works great in my office domain, however it does not work on site (in a different domain). As far as I can tell the domain users and network drives are set in the same way, however I do not have access to users etc in the customers domain. When I couldn't access the network drive I figured I needed a token for a user. This is how I impersionate the user: [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)] public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); ... const string userName = "Razvoj02"; const string pass = "Programer02"; const string domainName = null; const int LOGON32_PROVIDER_DEFAULT = 0; const int LOGON32_LOGON_INTERACTIVE = 2; IntPtr tokenHandle = new IntPtr(0); bool returnValue = LogonUser(userName, domainName, pass, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref tokenHandle); if (!returnValue) throw new Exception("Logon failed."); WindowsImpersonationContext impersonatedUser = null; try { WindowsIdentity wid = new WindowsIdentity(tokenHandle); impersonatedUser = wid.Impersonate(); } finally { if (impersonatedUser != null) impersonatedUser.Undo(); } Now here is the interesting/weird part. In my network the application can already access the network drive, and if I try to impersonate the active user (exactly the same user, including the same domain) it will not be able to access the network drive. This leaves me helpless since now I have no idea what works and what doesn't, and more to the point, will it work on site? What am I missing?

    Read the article

  • Overriding windows authentication for a .NET application

    - by JoshReedSchramm
    I have a .NET application where the homepage (default.aspx) should be accessible by anyone. There is also a reporting page (reporting.aspx) that I want to secure via windows authentication and only allow access to a particular set of AD groups. Right now the way my web.config is setup it is securing the reporting page but on the home page it prompts the user for login credentials. If they hit esc they can continue to the page though so it isnt actually securing it. I need to prevent it from prompting the user. How do i need to setup my config. Here is what i have now - <system.web> <authentication mode="Windows" /> <identity impersonate="true" /> <authorization> <allow roles="BUILTIN\Administrators, DomainName\Manager" /> <deny users="?" /> </authorization> ...MORE STUFF... </system.web> <location path="default.aspx"> <system.web> <identity impersonate="false" /> <authorization> <allow users="*"/> </authorization> </system.web> </location>

    Read the article

  • EF + UnitOfWork + SharePoint RunWithElevatedPrivileges

    - by Lorenzo
    In our SharePoint application we have used the UnitOfWork + Repository patterns together with Entity Framework. To avoid the usage of the passthrough authentication we have developed a piece of code that impersonate a single user before creating the ObjectContext instance in a similar way that is described in "Impersonating user with Entity Framework" on this site. The only difference between our code and the referred question is that, to do the impersonation, we are using RunWithElevatedPrivileges to impersonate the Application Pool identity as in the following sample. SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(url)) { _context = new MyDataContext(ConfigSingleton.GetInstance().ConnectionString); } }); We have done this way because we expected that creating the ObjectContext after impersonation and, due to the fact that Repositories are receiving the impersonated ObjectContext would solve our requirement. Unfortunately it's not so easy. In fact we experienced that, even if the ObjectContext is created before and under impersonation circumstances, the real connection is made just before executing the query, and so does not use impersonation, which break our requirement. I have checked the ObjectContext class to see if there was any event through which we can inject the impersonation but unfortunately found nothing. Any help?

    Read the article

  • Setting directory security to allow user and deny all

    - by Rita
    I have winforms app, in which I need to access a secured directory. I'm using impersonation and create WindowsIdentity to access the folder. My problem is writing unit tests to test the directory security; I'd like to a write a code that creates a directory secured to only ONE user, which isn't the current user running the UT (or else the test would be worthless). I know how to add permissions to a certain user, but how can I deny the rest, including admins? (in case the user running the UT is an admin) (will this be a wise thing to do?) DirectoryInfo directoryInfo = new DirectoryInfo(path); DirectorySecurity directorySecurity = directoryInfo.GetAccessControl(); directorySecurity.AddAccessRule(new FileSystemAccessRule("Domain\SecuredUser", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); directorySecurity.RemoveAccessRule(new FileSystemAccessRule("??", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Deny)); directoryInfo.SetAccessControl(directorySecurity); This isn't working. I don't know who am I supposed to deny. Domain\Admins, Domain\Administrators, me... No one is being denied, and when I check folder's security - The SecuredUser has access to the folder, but the permissions are not checked, even though I specified FullControl. Basically I want to code this: <authorization> <allow users ="Domain\User" /> <deny users="*" /> </authorization> I was thinking about impersonating UT run with a weak user with no permissions, but this would result in: Impersonate - Run UT - Impersonate - Access folder, and I'm not sure if this is the right design. Help would be greatly appreciated, thank you.

    Read the article

  • Running an executable on network share with CustomAction with wix?

    - by martin
    Hello, i have created a msi-package which compresses some xml-files to a zip-file during installation. I have created a CustomAction for this purposes: <CustomAction Id="CompressMy" BinaryKey="zipEXE" ExeCommand="a -tzip &quot;[TEMPLATE_DIR]my.zip&quot; &quot;[TempSourceFolder]data.xml&quot;" Return="check" HideTarget="no" Impersonate="no" Execute="deferred" /> The installation works fine, if i try to install to a local drive, but recently a customer wanted to install [TEMPLATE_DIR] to a network drive on Windows Vista. The CustomAction fails, because of the elevated install-user hasn't mapped the network drive, even if the installer-calling user has mapped the drive. This happens also, if I try to install to an unc-path. I use 7zip for compressing. I have added it to my msi-package. I have tried to set Impersonate="yes", but then the Installations fails, if my TEMPLATE_DIR is f.e. the ProgramData-dir. Do you have any idea what i can do? I thinked about checking if TEMPLATE_DIR is a network path, but I didn't know how i can check this. Or do you have any other Ideas how I can provide a local and a network installation while using this custom action. Would be great if there are any advices, greetings, Martin

    Read the article

  • Integrated Windows authentication in IIS causing ADO.NET failure

    - by TrueWill
    We have a .NET 3.5 Web Service running under IIS. It must use identity impersonate="true" and Integrated Windows authentication in order to authenticate to third-party software. In addition, it connects to a SQL Server database using ADO.NET and SQL Server Authentication (specifying a fixed User ID and Password in the connection string). Everything worked fine until the database was moved to another SQL Server. Then the Web Service would throw the following exception: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) This error only occurs if identity impersonate is true in the Web.config. Again, the connection string hasn't changed and it specifies the user. I have tested the connection string and it works, both under the impersonated account and under the service account (and from both the remote machine and the server). What needs to be changed to get this to work with impersonation?

    Read the article

  • Windows XP long login (15 minutes +)

    - by Emily Pinkerton
    I'm having a lot of issues with our Windows XP SP3 machines (about 5, but every week another gets on the bandwagon of this issue). They take forever (15 minutes) to apply the user settings once our employee's enter their username and password to login to our domain. It only happens say if a user has reboot the machine and then when they go to log back in then it hangs forever. Reboot and restart are the key words for sure I've noticed with this issue. Here are things I have tested: •Made sure the DNS was set to point to our two servers (Server01 & Server02 are DNS Domain Controllers, 01 is primary and 02 backup). •No major changes have been applied to our network. •All profiles are local, so I have deleted out local profiles that aren't being used on those machines that run slow. •Also I have tried to enable and disable the Enable Fast Login under the local machines GP. It was not configured originally and when I tested both, it made the computer hang on "applying computer settings" for about 15 minutes. When it finally came up to the login screen the it was very quick to login to the domain. However this doesn't fix my issue, and even more frustrating upon setting it back to being not configured it now still takes for forever to apply computer settings. •I enabled the userenv log and here is what I see, but my experience is limited and I'm not sure how to read it exactly. (see below for log, this isn't the whole thing because it's really long) USERENV(2ec.2f0) 10:50:41:843 LoadUserProfile: LoadUserProfileP succeeded USERENV(2ec.2f0) 10:50:41:843 LoadUserProfile: Returning success. Final Information follows: USERENV(2ec.2f0) 10:50:41:843 lpProfileInfo-UserName = USERENV(2ec.2f0) 10:50:41:843 lpProfileInfo-lpProfilePath = < USERENV(2ec.2f0) 10:50:41:843 lpProfileInfo-dwFlags = 0x0 USERENV(2ec.2f0) 10:50:41:843 LoadUserProfile: Returning TRUE. hProfile = <0x818 USERENV(2ec.2f0) 10:50:41:984 IsSyncForegroundPolicyRefresh: Synchronous, Reason:NonCachedCredentials USERENV(2ec.248) 10:50:41:984 IsSyncForegroundPolicyRefresh: Synchronous, Reason:NonCachedCredentials USERENV(3c4.3dc) 10:51:26:166 LibMain: Process Name: C:\WINDOWS\system\wbem\wmiprvse.exe USERENV(2ec.5cc) 11:05:08:741 ProcessGPOs: network name is 192.168.49.0 USERENV(4a8.888) 11:05:08:804 GetProfileType: Profile already loaded. USERENV(4a8.888) 11:05:08:804 LoadProfileInfo: Failed to query central profile with error 2 USERENV(4a8.888) 11:05:08:804 GetProfileType: ProfileFlags is 0 Also this error is in the file quite a lot: USERENV(328.5bc) 11:05:29:733 GetUserDNSDomainName: Failed to impersonate user USERENV(328.834) 11:05:29:733 ImpersonateUser: Failed to impersonate user with 5. I'm really not sure what else to do with my limited experience, but I'm hoping someone can help me. I feel like I'm dealing with an issue way above my level and any knowledge I can gain out of getting this issue fixed would be amazing.

    Read the article

  • How-to make "ghost" of existing user in lab manager?

    - by clevi
    We have an automation process which undeploys specific configuration on LM every night. this process also deploy the configuration at morning. The problem is that this process works as admin so all this configs deployed by admin, which means sometimes they deployed on "reserved" resources pool. I want to try to impersonate a user on Lab Manager so the configuration will be deployed by the user owned this machine, and not by admin. does anyone has any idea how to do so?

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8  | Next Page >