Using smartcard credentials, obtained by a webpage - web-services

I have two servers on a Windows domain that include an active directory that is correctly configured to allow users to login using smartcard credentials. Currently, I can login to server1 and run remote PowerShell commands on server2 using smartcard credentials through WinRM, without any problem.
I would like to build some sort of web service (preferably on node.js) on server1, so that it presents a user with a webpage that prompts for smartcard credentials. Using these credentials, server1 would be able to run remote PowerShell commands on server2.
Is this possible? I saw some references to pcsclite on other posts. Is this all I need? If so, could someone provide a code snip-it of something that could accomplish this?
Maybe a simpler question that could help me get started, would be how could I even use these credentials to connect to a file share on server2 and download a file?
Thanks!

Look int using WAP in IIS to set up a gateway and use Active Directory Client certificate mapping

Related

authenticate ftp users from sql database in c++

i have a messaging app written in c++ (qt) and now i want to add a library to move heavy media via ftp to a ftp server and give the link to other user to download it.
the problem is there are to many users to create separate ftp accounts for all of them manually and using one account for all of them isn't safe.i want to limit every users access to their own subdirectory and delete that dir and ftp account if the users deletes account.
i think the following approaches makes sense:
1)in ftp server check login credentials submitted with ftp.login(user,password) in server with existing users in a sql database (users are added to database with signup and deleted with delete account)
2)adding a proxy server to check authorization to access ftp server and then give access to ftp server subdirectory
3)manually writing a ftp daemon for server with c++ or qt library and listen to a port
4)if there is a way to automatically add ftp user to ftp server when signing up
if there is another way i'd appreciate the help and if you have an idea how to implement one of the above please explain in detail
i tried to find a module in C++ to help build ftp server app but couldn't find any.
i found a way.pureFTPD is a ftp daemon that lets u use a sql database to validate ftp users and limit their access.

Google OAuth running on remote server and authenticating locally

I'm using Python to interact with Google Sheet API using a library called gspread_pandas.
The flow to let this python script to authenticate on google is basically:
Create a project on GCP;
Create an OAuth2 token (the application type is "web app" , but in doubt if should be
"desktop app");
Expose the token on local environment and run the python script;
The Python Script will ask to access a link like below:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=foo.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8182%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fspreadsheets&state=acbdef&access_type=offline
And if I succeed on login, it runs the script smoothly (the data from sheets are retrieved by the python script).
Link to the description of authentication process.
It runs fine if I'm running it locally on my machine, when I setup this workflow on EC2,
when I run the python script on the EC2 terminal, it asks me to access an external link (accounts.google...) and when I click on it, I open the browser on my local machine, I insert my google credentials and at the end of the process it throws:
This site can’t be reachedlocalhost refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
The terminal on EC2 keeps stuck waiting for the login process to end but it already failed on my local browser (on my machine).
My suspicion is that when I log on google using my local browser, it can't get back to the EC2 and finish the authentication process.
The type of this OAuth token is "Web Application" and the URI redirect I set https://<public-ip>.sslip.io/8182 (so I can use the aws public ip on gcp, for testing only).
I wonder how to use Google OAuth on a remove server and login to google account on my local browser. I'm trying this method because the library docs says its possible:
you will have to authenticate through a text based OAuth prompt; this makes it possible to run on a headless server through ssh or through a Jupyter notebook
Link to citation
I tried to use service-account but my company does not allow this kind of auth.

Gmail API authentication redirect not working on AWS EC2

I'm trying to run a python script that interacts with the GMail Api on AWS EC2. Said script SHOULD either process the authenticated inbox or ask for authentication if the token doesn't exist. This authentication normally takes the form of opening up a browser window. This works on localhost but doesn't work on my EC2 instance.
I've tried running a webserver using Flask (accessible through its public IP) and having the call to the script be the result of clicking a button. When I do this, I get other interactivity from the Flask script and the authentication URL prints out on the CLI, but I'm not redirected.
I've tried just running the script from the CLI, but that obviously doesn't work. That last one might've just been desperation and/or wishful thinking.
EDIT: Info - The URL seems auto-generated so I don't know it ahead of time.

How CreateProcessAsUser on Windows Using Delegated Credentials from SSPI?

I work on a Kerberos logon infrastructure (Single Sign-On) with:
A client which is authenticated to the Kerberos Key Distribution
Center.
A principal service server using Kerberos as authentication.
Server Program is coded in C++.
I have no problem to create a context between my principal (client) and my service principal (server).
I also delegated my client credentials to the server, because I need to create a process on the server using client user credentials.
And this is my problem, on the server side, I have a SSPI context and I need to CreateProcessAsUser using a Windows type pHandle.
I do not know how to use my SSPI credentials to create on my server a process as the client user.
I take a look at LsaLogonUser, which seems to do what I want (create a handle from kerberos user credentials) but my problem is the same, I do not know how to use the SSPI Token with this LsaLogonUser.
Thanks in Advance, for your help
Though it is very late but you could obtain a token by doing following:
HANDLE tempHandle;
if (!QuerySecurityContextToken(hctxt, &tempHandle))
{
MyDbg("Could not obtain token for user");
}
I just posted a question regarding something related to what you are doing. I am using a session 0 Windows service to launch an application into session 1. The code I used (and asked about) is included in that post, and works well except that paths normally available to a user in session 1 are not accessible when launced this way. In any case, Even though I have some questions about this code, I hope it can start you on the right path.
Ryyker
I finally found a solution to my problem.
The best way to do it is to:
write delegated credentials in a temporary file.
set KRB5CCNAME environment variable to the path of this file.
It Works ;)

Using DefaultCredentials and DefaultNetworkCredentials

We're having a hard time figuring how these credentials objects work. In fact, they may not work how we expected them to work. Here's an explanation of the current issue.
We got 2 servers that needs to talk with each other through webservices. The first one (let's call it Server01) has a Windows Service running as the NetworkService account. The other one Server02 has ReportingServices running with IIS 6.0. The Windows Service on Server01 is trying to use the Server02 ReportingServices WebService to generate reports and send them by email.
So, here's what we tried so far.
Setting the credentials at runtime (This works perfectly fine):
rs.Credentials = new NetworkCredentials("user", "pass", "domain");
Now, if we could use a generic user all would be fine, however... we are not allowed to. So, we are trying to use the DefaultCredetials or DefaultNetworkCredentials and pass it to the RS Webservice:
rs.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
Or:
rs.Credentials = System.Net.CredentialCache.DefaultCredentials
Either way won't work. We're always getting 401 Unauthrorized from IIS. Now, what we know is that if we want to give access to a resource logged as NetworkService, we need to grant it to DOMAIN\MachineName$ (http://msdn.microsoft.com/en-us/library/ms998320.aspx):
Granting Access to a Remote SQL Server
If you are accessing a database on another server in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the database. The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.
For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the SQL Server sees a database access request from CONTOSO\SVR1$.
We assumed that granting access the same way with IIS would work. However, it does not. Or at least, something is not set properly for it to authenticate correctly.
So, here are some questions:
We've read about "Impersonating Users" somewhere, do we need to set this somewhere in the Windows Service ?
Is it possible to grant access to the NetworkService built-in account to a remote IIS server ?
Thanks for reading!
All details you need are included in this very old article
In short, when you find it confusing to troubleshoot issues like this, you should first review the technical details behind ASP.NET impersonation carefully.
Here are some things you could check out:
- set an SPN (Service Principal Name) for the reporting service; you can find good examples in google;
- Allow delegation (ClientCredentials.Windows.AllowImpersonationLevel)
Is the problem that you're failing to authenticate to IIS, or failing to authenticate to SSRS? The DOMAIN\MachineName$ account may need to be granted permission in SSRS to run the report you're trying to automate.
SSRS usually does a pretty good job of getting IIS configured correctly, so you shouldn't need to mess with those settings. I double-checked my installation (which is SSRS 2005, things may have worked differently in SSRS 2000 and you didn't say which version you're running), and it's set to use Windows authentication and has impersonation enabled. That means IIS should basically just be authenticating your credentials (validating a correct username/password), not authorizing (determining whether that user has permission to run the report in question). IIS then passes the credentials on to SSRS, which has its own settings for determining what accounts have permission to view reports.
Also, you can automate sending reports on a scheduled basis directly in SSRS, so you may not need the Windows service at all if your scheduling is fairly basic (i.e., daily, weekly, etc.).