BC users need to retrieve files from a non-cloud file store. There is a simple webservice on the storage computer that can provide contents of the files. WS gets a user name. Users exists as users on the computer/LAN, where the files are stored, so the webservice is able to check whether the user has read permission on the file or not.
WS cannot get a user password, so I cannot make any impersonation, but the webservice runs in context with privileges able to read all these documents and can check permissions by user name.
I found a solution, how to check file permissions by user name. Solution works well in development environment (IIS Express in Visual Studio) but fails on IIS (production environment). The problem seems to be the initialization of the WindowsIdentity object, where proces on IIS fails with the message: "A specified logon session does not exist. It may already have been terminated."
Constructor of WindowsIdentity object probably calls some AD service and some restriction in IIS it rejects.
Do you have any suggestions on what to set up in IIS or what to do to make permission checking work?
Related
I'm following the "Gauth authentication" portion of Djangae's documentation but I'm running into some unexpected behavior.
I've configured urls.py and settings.py as specified by the documentation (the current settings are mostly a result of using the Djangae Scaffold) but at no point are users prompted to authenticate using or link their Google account. I've tried un/setting DJANGAE_CREATE_UNKNOWN_USER but this has no impact.
I've also tried running commands inspired by sitepackages/prod/djangae/contrib/gauth/tests.py in my local shell in order to verify that the back-end configuration is correctly configured and that users can actually be authenticated against AppEngineUserAPIBackend but that fails because my User model (djangae.contrib.gauth_datastore.models.GaeDatastoreUser) seems to be missing required attributes: AttributeError: 'GaeDatastoreUser' object has no attribute 'user_id'.
So, am I misunderstanding how this is all supposed to work and must take some additional steps to get Google Sign-In working? Or have I (likely) misconfigured my application? (I'm happy to include genericized versions of my config, but as I said, they've come directly from Djangae Scaffold or the documentation.)
UPDATE: Interestingly, if I remove the --headless flag from my Behavior suite config, I see the expected behavior. The browser (Chrome) is being redirected to https://accounts.google.com/Login?continue=http%3A%2F%2Flocalhost%3A8080%2F
Environment:
Djangae (0.9.11)
Django (1.11.19)
It turns out that this is the expected behavior. In the local sandbox, users are prompted for an email address and (by default) a "user" is created for them and they are automatically logged in.
From App Engine's "Users Python API Overview" document:
Google accounts and the development server
The development server simulates the Google Accounts system using a
dummy sign-in screen. When your application calls the Users API to get
the URL for the sign-in screen, the API returns a special development
server URL that prompts for an email address, but no password. You can
type any email address into this prompt, and the app will behave as if
you are signed in with an account with that address.
The dummy sign-in screen also includes a checkbox that indicates
whether the dummy account is an administrator; that is, whether the
account has the the Viewer, Editor, or Owner primitive role, or the
App Engine App Admin predefined role. If you check this box, the app
will behave as if you are signed in using an administrator account.
Similarly, the Users API returns a sign-out URL that cancels the dummy
sign-in.
The unique ID for a User object in the development server is
calculated from the email address. Two unique email addresses always
represent two unique users in the development server.
Personally, I think this design is very flawed. I don't know what Google thinks about the Twelve Factor manifesto, but this behavior is a flagrant violation of article 10 (Dev/Prod Parity), which is summarized as "Keep development, staging, and production as similar as possible". I see no reason why the full auth/redirect flow wouldn't work in the local sandbox and, at the very least, users should be able to opt into it. (I would love to find out that this is an option.)
The most concerning part about this conditional behavior is that the user object's API is different, which is why I was seeing the error mentioned in my question ('GaeDatastoreUser' object has no attribute 'user_id'). The local user also has no nickname method.
I'm moving a PHP app from IIS7 to IIS8.5 on Win2012 R2. The app runs in its own application pool (MyPortal) and needs write permission on a sub-folder to create PDFs. So I assign Modify or Full Control permissions to IIS AppPool\MyPortal on the local machine, however the app is still unable to write to the folder. The only way I have found to allow it to do so is by giving Modify access to the local USERS group, which I'd rather not do (although I have no choice ATM).
The php-cgi.exe process is running under the MyPortal identity, but somehow isn't picking up the permissions I have assigned to the MyPortal user on the folder. The PHP process is doing a simple fopen command $file = fopen($tmp_filename,"w");.
I saw this similar post https://serverfault.com/questions/570033/iis-iusrs-and-defaultapppool-permissions-do-not-work which suggested it may be a permissions caching issue, solved by a reboot, but that's not worked in this instance.
Any suggestions as to what's wrong?
You've got it #Jan Reinlink. Anonymous Authentication needed setting to 'Application identity pool'. I had assumed that because the PHP process was running as MyPortal it was using the same permissions.
I don't see a way through the website administration pages. If I am wrong, please correct me. Most of the searches I found, include ones on this site, said that TFS doesn't have anything built in to change the password.
I have users set up in their own group in Windows and those users have access to certain projects.
A user forgot his password so I was trying to reset it for him. I didn't find anything on the TFS administration webpages and the only place I know to change it is his user in Windows.
When I right click on the user and click change password, I get this message:
If I do it this way, will it update the TFS info? Is this the proper way to change the user's password in TFS 2013?
TFS doesn't have anything built in to change the password.
Correct. Per the TFS Authentication and Access page, there are no authentication options 'local' to TFS itself. A standard implementation of Basic authentication uses Windows user accounts, so changing their Windows user credentials will work correctly in TFS.
This does not "update" TFS; TFS simply queries the respective authority in workgroup/domain environments, and authentication will be successful as long as the user's Windows credentials are entered correctly.
On this page, it talks about Windows NT, 2000, XP and 2003. Fortunately, I have a Windows 7 machine.
The very first line says:
In User Manager for Domains, create a local user for the ColdFusion
service to log in as.
I don't see a "User Manager for Domains", so do they mean just "Add a new user"?
If it DOES mean that, can I use my own user account as the ColdFusion user, or should I specifically create a new account just for ColdFusion?
If you are creating a domain account it has to be created ON the domain - using user manager for domains connected to your domain controllers. If that's what you need then a sys admin has to help.
If you are doing a "local" user on a windows 7 I always end up hunting around for the right view of user manager before I get it right :) Here are the steps that I use:
Search from start and open the "user accounts" cpl.
Click on "Manage User Accounts"
Click on the "advanced" tab
Click on the "advanced" buttton.
This takes me to the mmc-like view of users that I'm accustomed to where I can add a user, change membership, set passwords etc.
Hope this helps :)
You can use your own username or you can create one for CF to run as. Creating a user to run CF as probably more closely replicates your production environment ( an assumption ) so if production for example writes to a UNC path the coldfusion user must have acces. You could
Mimic this locally.
You can use either an account local to the OS where ColdFusion is running, or a domain account if the OS is joined to a domain. In your case, you can just create a local user on your Windows 7 OS and run the ColdFusion Application Service as that user. The user account will need access to ColdFusion's installation folder, as well as read access to the webroot.
The whole idea is to run the ColdFusion service as a user with the minimum privileges necessary to handle requests and prevent access to other resources in the event of a data breach or remote code execution (e.g. someone exploits an upload form and manages to get their own CF code to run on your server; it's not pretty but can be somewhat restricted by running the CF service under a user account with restricted access).
As someone else mentioned, if CF needs access to other network resources, the user account will need to be granted access to those resources as well (either by using a domain account or having a local account with the same username and password on the remote system).
Just did this on Windows 2008 R2 with CF 10. The trick was to change the ownership of the c:\windows and c:\windows\system32 directories as outlined here.
change ownership from trustedInstaller
I'm currently using ShellExecute "open" to open a URL in the user's browser, but running into a bit of trouble in Win7 and Vista because the program runs elevated as a service.
When ShellExecute opens the browser, it seems to read the "Local Admin" profile instead of the user's. So for example, if the user at the keyboard has Firefox as his default browser, it may open IE (which is the admin's default).
I know that the "runas" verb can be used to elevate, but how do you do it the other way around? Is there a way to open a URL in the default browser on a standard user's desktop from a service?
ShellExecute will execute the program in the context of the same session and same user as the process you are running.
If you'd like to use a different session or user token you can use the CreateProcessAsUser Win32 API.
There are several ways to obtain a user token, for example you can call the Win32 API:
LogonUser if you know the username and password
WTSQueryUserToken for any given session ID.
OpenProcessToken if you have another process handle
After a while of testing, the best way to determine the default browser is the following:
NOTE: It is strange but it's true...
It has nothing to say that an application is the default application for
some file type or web protocol like 'http'. What matters to determine the default
web browser is just what is registered in the start menu entry (see reg key below).
So forget all the HKCR\http, HKCU\Software\Classes\http, HKLM\Software\Classes\http and their friends.
read from "HKEY_CURRENT_USER\Software\Clients\StartMenuInternet"
read command line from "HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\\shell\open\command"
truncate the command line after ".exe"
Of course you need to impersonate as the logged on user first.
If this solution does not work (like with w2k), use the handler for the http protocol.
To actually start the default browser from a service we use an extra process which is within the service using the logged on user-context. This process starts the above commandline (using ShellExecute on platforms >= Vista). Be sure to use same integrity level (medium) as a default user (else IE won't work because it uses DDE).
HTH.
Aaron Margosis has a seven-step native code example at http://blogs.msdn.com/aaron_margosis/archive/2009/06/06/faq-how-do-i-start-a-program-as-the-desktop-user-from-an-elevated-app.aspx. Won't help you from your service if that is what you have - I agree your service shouldn't be trying to launch an app as the logged in user, especially since there might not be one.