I'm trying to perform a number of password operations on a user within ActiveDirectory from a C++/CLI library (which will in turn be called by another service) using the Kerberos password protocol as in RFC 3244.
I mocked up a sequence in C# (being my preferred language) using LogonUser to impersonate an admin then use the DirectoryServices.AccountManagement namespace to call SetPassword on the user's entry. SetPassword uses three approaches to attempt the change LDAPS, Kerberos and RPC. If I look at the Wireshark trace I can see the Kerberos handshake when the admin is impersonated, then LDAP attempt (which fails due to lack of SSL) then the kerberos password exchange.
Trying to replicate this is C++ LogonUser does not initiate a Kerberos exchange so when SetPassword is called the method falls through to RPC (which succeeds but does not meet our requirement of using Kerberos).
Is there an way I can force the use of Kerberos?
Is there a better solution to interact with the Kerberos password protocol from .net rather than relying on SetPassword?
Minimal code example:
C#
SafeTokenHandle handle;
LogonUser("serviceAccount", "Test", "aPassw0rd", 2, 0, out handle);
WindowsIdentity.Impersonate(handle.DangerousGetHandle());
DirectoryEntry usr = new DirectoryEntry();
usr.Path = "LDAP://"+"dctest.test.com/"+"CN=testuser,CN=Users,DC=test,DC=com";
usr.AuthenticationType = AuthenticationTypes.Sealing | AuthenticationTypes.Secure;
object ret = usr.Invoke("SetPassword", "aPassw0rd");
usr.CommitChanges();
usr.Close();
Console.WriteLine("Completed");
This approach successfully impersonates the service account then performs the setpassword using KPASSWD over 464.
C++/CLI
HANDLE _handle;
LogonUser(L"serviceAccount",L"Test",L"aPassw0rd",LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT,&_handle)
ImpersonateLoggedOnUser(_handle);
DirectoryEntry^ usr = gcnew DirectoryEntry();
usr->Path = "LDAP://"+"dctest.test.com/"+"CN=testuser,CN=Users,DC=test,DC=com";
usr->AuthenticationType = AuthenticationTypes::Sealing | AuthenticationTypes::Secure;
Object^ ret = usr->Invoke("SetPassword", "aPassw0rd");
usr->CommitChanges();
usr->Close();
Console::WriteLine("Completed");
This approach impersonates the admin account, then when set password is calls does a kerberos exchange (over 88 so i'm guessing this is auth) but then falls back to using RPC.
If I take the C# code and call it from a C++/CLI wrapper the behaviour changes to that displayed as when the code was in C++.
Finally managed to trace this the other day by running the output back through a reflector.
The project properties for C++/CLI class included setting the character set to unicode. With this set the output uses the LogonUserW method. However if this setting changed to "Not Set" then the LogonUser method is used and the Kerberos authentication path for setPassword behaves as normal.
Related
I have a desktop application in which I need to make a user authentication with oAuth2.0.
I looked at the Facebook example but it doesn't really correspond to what I have to do or I don't understand it well.
In fact, I create an O2 instance:
O2* o2Auth;
o2Auth = new o2Auth(this);
o2Auth->setClientId(CLIENT_ID);
o2Auth->setClientSecret(CLIENT_SECRET);
o2Auth->setRequestUrl(REQUEST_URL);
o2Auth->setTokenUrl(TOKEN_URL);
But I don't understand how to authenticate the user with the user name and password. Which function do I have to use to do that?
In Facebook example, there is:
if (argList.contains(OPT_OAUTH_CODE)) {
// Start OAuth
fbdemo_.doOAuth(O2::GrantFlowAuthorizationCode);
} else if (argList.contains(OPT_VALIDATE_TOKEN)) {
fbdemo_.validateToken();
}
where argList is the parameters given to the application but they are not the user name and password.
In the tweeter example, there is :
oxTwitter_->setUsername(username);
oxTwitter_->setPassword(password);
but I didn't find the equivalent in O2.
I think I have to use things like GET and POST functions in the OSRequestor class, but how to link a OSRequestor instance to my O2 instance?
So what do I need to send user name and password to do the authentication with O2?
I'm trying to understand if it's possible to create a web service that can send and answer to WhatsApp messages. I searched on the web and I found the WhatsAPI,
I guess this solution work fine, but with the actual version of WhatsApp it's not possible to get the nickname, the sender, the imei and the password.
To get them I set up a Linux PC in which I installed mitmproxy to sniff the web traffic of a Samsung Galaxy S4. By using mitmproxy I can see the web traffic generated by the phone, so I tried to register to WhatsApp (with an another SIM), but in mitmproxy I can't see the data I need for WhatsAPI.
Does anyone knows if it's possible to get the password by using another way?
If it exist can you suggest me a way? Do you think it's possible to do that or it's better to use Telegram or Wechat (they have public API)?
For Java, you can try WhatsUp
For Python, see YowsUp.
Beware that WhatsApp threatens legal action against many of these library developers and does not officially support using the service this way.
I have also spoken directly with WhatsApp representatives who have said no commercial API use of WhatsApp is acceptable.
Also note that bulk messaging is against the WhatsApp terms of service.
There used to be a PHP implementation at WhatsAPI, and another Java implementation, WhatsApi4J. Both are no longer available due to legal threats.
For .NET you use https://github.com/mgp25/Chat-API-NET
download installer for generate password https://github.com/mgp25/WART from this link
string nickname = "Nickname";
/* Your number in the format CCAANNNNNNNNN
* C - Country Code
* A - Area Code
* N - Phone number */
string sender = "***************"; //phone number
string password = "*****************"; // Obtain it with WART or Yowsup
WhatsApp wa = new WhatsApp(sender, password, nickname, true);
wa.OnConnectSuccess += () =>
{
Console.WriteLine("Connected");
wa.OnLoginSuccess += (phoneNumber, data) =>
{
Console.WriteLine("Connection success!");
wa.SendMessage("**************"/* Number */, "Hello World!");
Console.WriteLine("Message sent!");
};
wa.OnLoginFailed += (data) => {
Console.WriteLine("Login failed: {0}", data);
};
wa.Login();
};
wa.OnConnectFailed += (ex) =>
{
Console.WriteLine("Connect failed: {0}", ex.StackTrace);
};
wa.Connect();
Console.WriteLine("END");
Console.ReadLine();
wart app maybe works good for you.
WART
WhatsApp Registration Tool
Uses token generator created by Jake
Uses WhatsApiNet fork by me
Requires .NET Framework 4 or Mono Framework (mono-complete on Linux)
This tool is used to register new phonenumbers and can also be used to retrieve a new password for already registered numbers.
The registration identity is auto-generated by the program based on the phone number.
The optional (and highly recommended) password field is used as salt when generating the identity. This will generate a unique identity hash which cannot be replicated unless you know the password.
Leaving the password field blank will generate an identity hash of just the phone number, which can be easily replicated and is highly insecure.
If these answers were helpful to you, please consider saying thank you in a more constructive way
There are some similar questions for earlier versions of Jetty (pre 9) but none that address this specific problem :
Server server = new Server();
System.setProperty("com.sun.net.httpserver.HttpServerProvider",
JettyHttpServerProvider.class.getName());
JettyHttpServer jettyServer = new JettyHttpServer(server, true);
Endpoint endpoint = Endpoint.create(new SOAPService()); // this class to handle all ws requests
endpoint.publish(jettyServer.createContext("/service")); // access by path
server.start()
Simplified code example above to show the only way that I have found to bridge between Jetty and incoming soap requests to my jax-ws service. All settings are in code with no web.xml, this is part of a larger solution that has multiple contexts and connections for different purposes (servlets etc..)
I have tried to add a handler class to the jettyServer.createContext("/service",new handler()) to see if I can perform a header extraction to simulate basic auth but it never gets executed.
My problem is that i cannot find a way to specify, by code against the Jetty server, to use basic authentication. Using the setSecurityHandler method of a ServletContextHandler is easy and works great for other contexts, i just can't figure out how to use this concept for the jax-ws service.
Any help would be much appreciated.
p.s. SSL is already implemented, I just need to add http basic auth.
For anyone else that may of come across the same problem here is the answer that i stumbled on eventually.
final HttpContext httpContext = jettyServer.createContext("/service");
com.sun.net.httpserver.BasicAuthenticator a = new com.sun.net.httpserver.BasicAuthenticator("") {
public boolean checkCredentials (String username, String pw)
{
return username.equals("username") && pw.equals("password");
}
};
httpContext.setAuthenticator(a);
endpoint.publish(httpContext);//access by path
You can expand the checkCredentials for something a bit more sophisticated of course, but this shows the basic working method.
Goal:
Retrieve data from Dynamics CRM 2011 to my database from SQL server R2 by using webservice through integration services (SSIS). Webservice needed to be located inside of SSIS. Gonna use the data for data warehouse.
Problem:
How do I do it?
We only write to Dynamics so I can't address the specific method name but the general idea below should get you started.
Assumptions
Two variables have been defined in your package and they are passed to the script component as ReadOnlyVariables: CrmOrganizationName, CrmWebServiceUrl.
A script component has been added to the dataflow as a Source component. On the Inputs and Outputs tab, an appropriate number of columns have been added to Output 0 (or whatever you define your output collection as) with appropriate data types.
Inside the script, add a web reference to your CRM instance. This code assumes it's called CrmSdk.
using System;
using System.Data;
using System.Data.SqlClient;
using System.Windows.Forms;
using Microsoft.SqlServer.Dts.Pipeline.Wrapper;
using Microsoft.SqlServer.Dts.Runtime.Wrapper;
// web reference
using CrmSdk;
[Microsoft.SqlServer.Dts.Pipeline.SSISScriptComponentEntryPointAttribute]
public class ScriptMain : UserComponent
{
public override void CreateNewOutputRows()
{
// Get a reference to the CRM SDK
CrmSdk.CrmService CrmService = new CrmSdk.CrmService();
// An Authentication Token is required because CRM requires an OrganizationName
// to identify the Organization to be used
CrmSdk.CrmAuthenticationToken token = new CrmSdk.CrmAuthenticationToken();
token.AuthenticationType = 0;
token.OrganizationName = this.Variables.CrmOrganizationName;
CrmService.CrmAuthenticationTokenValue = token;
// Use default credentials
CrmService.Credentials = System.Net.CredentialCache.DefaultCredentials;
// Get the web service url from the config file
CrmService.Url = this.Variables.CrmWebServiceUrl;
//////////////////////////////////////////////////
// This code is approximate
// Use the appropriate service call to get retrieve
// data and then enumerate through it. For each
// row encountered, call the AddRow() method for
// your buffer and then populate fields. Be wary
// of NULLs
//////////////////////////////////////////////////
foreach (CrmSdk.entity person in CrmService.Get())
{
Output0Buffer.AddRow();
Output0Buffer.FirstName = person.FirstName;
Output0Buffer.LastName = person.LastName;
}
}
}
Caveats
There is no error handling, checks for nulls or anything elegant. The service should probably have been defined with the using statement, etc, etc, etc. It should provide an appropriate starting point for understanding how to consume a web service and load data into the pipeline.
The easiest solution for your requirement is to use a third-party library for SSIS. The commercial COZYROC SSIS+ library includes Dynamics CRM adapters, which support all deployment models: Premise, Live, Hosted, Federation, Office 365.
I'm trying to log my messages which are sent using a Metro stack into console.
Could not find any way.
Message logging to stdout (valid for METRO only!):
On the client
Java 5: Set system property
-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true
Java 6: Set system property
-Dcom.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.dump=true
On the server side
Set system property
-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true
Here everything is explained:
https://metro.java.net/2.0/guide/Logging.html
The following options enable logging of all communication to the console (technically, you only need one of these, but that depends on the libraries you use, so setting all four is safer option).
-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true
-Dcom.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.dump=true
-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true
-Dcom.sun.xml.internal.ws.transport.http.HttpAdapter.dump=true
Didn't mention the language but assuming Java, could you not just use something like Log4J e.g.
service = new Service();
port = service.getXxxPort();
result = port.doXxx(data);
Log.info("Result is " + result.getResult().toString());
where getResult is just a method on the return object.