Have a two host AppFabric setup. Both hosts are Win2k8 standard and are running the 32 bit version of AppFabric. The entire system has a backing SQL server store that has the AppFabric database store. Connectivity is not an issue between the systems, verified independently.
When I start the cache-cluster I get this error:
(AppFabric Caching service crashed with exception {Microsoft.ApplicationServer.Caching.ConfigStoreException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON')
It appears that AppFabric is unable to impersonate the user it is running / configured with into SQL server. We have configured accounts for the domain user that will run AppFabric, also accounts for the machines. Any help is appreciated, we've been stuck on this for a while now.
This is probably checking things you've already been through but let's see if we can rule a few things out first.
Can you confirm that:
the domain account isn't locked out for some reason, has a non-expiring password etc
the AppFabric Caching service is configured (on both servers) in the Services Control Panel applet to run under the domain account you've created
the domain account has access to SQL Server and the AppFabric config database
Can you start either cache server individually?
Domain Account Configuration is not supported in V1.0. Only Network Service can be configured in V1.0.
Let me see if I have understood the problem correctly.
Configuration: AppFabric 1.0 installed with SQL server config store. All other default configurations.
Symptom: Service does not start on the machines due to sql server connection error.
If the above is correct, you can try the following:
Issue: The AppFabric Service runs as network service on the server mahcines for security reasons. When the service tries to access the sql server config store, it sees a permission issue.
Resolution: Give permission for the NT service / Machine$ account for all the server nodes on the sql server for the config store db.
Let us know if this solves the issue.
Related
I am not able to connect to Database through bolt in Neo4j browser when opening my domain on HTTPS. We are using Neo4j Enterprise version 4.4.4 and its deployed on AWS EC2. All the ports are opened in Security Group ( 7474, 7473, 7687, 22).
SSL has been applied through ACM and that is attached with Application Load Balancer.
Below is the error-
ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use.
Use "bolt+s://" or "neo4j+s://" for the connection
The '+s' variants of URI schemes for encrypted sessions with full certificates
Refer to the Neo4j Driver manual for more details on the connection URI.
I had the same issue after deploying to EC2 using an AWS image (not from neo4j) to install neo4j community edition.
In my case, the neo4j browser was initially using this "Connect URL": neo4j://127.0.0.1:7687, which the browser then automatically changed to bolt://127.0.0.1:7687. After that, I saw the same error message that you did.
If you experience that scenario, you need to change the 127.0.0.1 portion of the URL to the appropriate public IP address or public DNS hostname for your EC2 instance.
I have a postgresql database on the google cloud platform (cloud SQL). I'm currently managing this database through pgadmin, installed on my laptop. I've added the IP address of my laptop to the whitelist on the cloud sql settings page. This all works.
The problem is: when I go somewhere else and I connect to a different network, the IP address changes and I cannot connect to the postgresql database (through pgadmin) from my laptop.
Is there someone who knows a (secure) solution, involving a proxy server (or something else), to connect from my laptop (and only my laptop) to my postgresql database, even if I'm not on a whitelisted network (IP address)? Maybe I can set up a VM instance and install a proxy server and use this? But I have no clue where to start (or search for).
You have many options for connecting to a Cloud SQL instance from an external applications such a Public IP address with SSL, Public IP address without SSL, Cloud SQL proxy, etc. You can see all of them here.
Between all connection options there exists Cloud SQL Proxy, it basically provides secure access to your instances without the need for Authorized networks or configuring SSL on your part.
You only need to follow the steps listed here and you will be able to connect your Cloud SQL instance using the proxy.
Enable Cloud SQL Admin API on your console.
Install the proxy client on your local machine (Linux):
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
Determine how you will authenticate the proxy. You can use use a service account or let Cloud SDK take care of the authentication.
However, if required by your authentication method, create a service account.
Determine how you will specify your instances for the proxy. Your options for instance specification depend on your operating system and environment
Start the proxy using either TCP sockets or Unix sockets.
Take note that as of this writing, Cloud SQL Proxy does not support Unix sockets on Windows.
Update your application to connect to Cloud SQL using the proxy.
Backstory(but possibly can be skipped): The other day, I finished connecting to MySQL full SSL from a Cloud Run service without really doing any SSL cert stuff which was great!!! Just click 'only allow SSL' in GCP and click 'generate server certs', allow my Cloud Run service to have access to database instance, swap out tcp socket factory with google's factory and set some props and it worked which was great!
PROBLEM:
NOW, I am trying to figure out the secure Google Cloud Run service to Cloud Run service security and reading
https://cloud.google.com/run/docs/authenticating/service-to-service
which has us requesting a token over HTTP??? Why is this not over HTTPS? Is communication from my Docker container to the token service actually encrypted?
Can I communicate HTTP to HTTP between two Cloud Run services and it will be encrypted?
thanks,
Dean
From https://cloud.google.com/compute/docs/storing-retrieving-metadata#is_metadata_information_secure:
When you make a request to get information from the metadata server, your request and the subsequent metadata response never leave the physical host that is running the virtual machine instance.
The traffic from your container to the metadata server at http://metadata/ stays entirely within your project and thus SSL is not required, there is no opportunity for it to be intercepted.
I'm trying to host my ServiceStack service in a console host.
I need the ability to launch my service without administrative privileges. But when I try to do this, I get an exception "Access is denied. An unhandled exception of type 'System.Net.HttpListenerException' occurred in ServiceStack.dll".
There's seems to be a solution for Web
API
but I haven’t found such for ServiceStack.
I tried to do this using
restrict
attributes
with no success.
I also tried solution from
here, but this command
requires user to have administrative privileges.
Is there any way to launch my ServiceStack self-hosted app without administrative privileges?
To get ServiceStack running without administrative privileges you need to ensure that:
The host protocol is http
The hostname you use can only be localhost
You use a port number higher than 1024
So for example these hosts can be created without administrative privileges:
http://localhost:8000
http://localhost:8080
http://localhost:1050 ... etc.
Hostnames using wildcards, domains other than localhost, ports lower than 1024 or https require admin rights, unless a rule has been granted using netsh on Windows, or httpcfg on mono platforms.
http://localhost:80
http://+:8080
http://*:8080
http://domain.com:8080
http://domain.com:80
https://localhost:8080
I have setup an appfabric(v1.1) cache server. The service is running under a service account and cluster configs are stored in SQL Server. the service account has rights on the sql server and able to configure successfully.
The admin console ,when opened with the service account user, is able to access cache.
But the problem is when i tried to connect to this caching service from a different machine, it is unable to connect.
ErrorCode<ERRCA0017>:SubStatus<ES0006>:There is a temporary failure. Please retry later
When i tried with xml configuration in a file share and service running in "NetWorkService" account, i was able to connect.
Following settings are verified on caching server.
Service is up and running on port 22233.
Firewall is turned off.
The client machine is granted permission to access cache cluster.
Running AppFabric cache as anything other than a “Network Service” is not supported.
Here’s the official documentation that hints at the limitation:
The Caching Service is installed to run under the Network Service
account. This means that for operations over the network, the Caching
Service uses the security credentials of the cache server's domain
computer account. The Caching Service uses the lower-privileged
Network Service account to help mitigate the damage that could be
caused by malicious attacks
But if you don’t find that convincing there’s this forum post from a MS person:
Velocity service running as Domain User is NOT supported.
If you think this is a horrible limitation… I agree with you.
AppFabric cache is a 100% WCF implementation. When I ran into this problem, I turned on WCF tracing and found the exception “The target principle name is incorrect”. AppFabric cache does not expose the ability to configure the principle.
In my testing with the cache running under a domain account, I found that if I called the cache across a domain boundary: It worked. If I called it from within the same domain it failed. My infrastructure guy said that the behavior made sense to him based on how credentials were presented in the different scenarios.
anyone else check out this:
http://blogs.msdn.com/b/appfabriccat/archive/2010/11/03/appfabric-cache-cache-servers-and-cache-clients-on-different-domains.aspx
caused me such a headache.
basically had to update my host file with the IP address and the actual servername of my AppFabric server.
and this resolved the error i was getting