There is a software which changes its behavior based on accessibility of the Active Directory domain controller (for domain joined machines). For example, if a machine inside a LAN and the domain controller is accessible, all features are available. If the machine goes outside of the LAN, some features of the software are disabled.
It works well on Windows using the standard Win32 API but I cannot find a way to implement it for macOS so far. I could not find any API. I tried some command line tools. For example,
dscl "/Active Directory/<DOMAIN NAME>" read / dsAttrTypeNative:DomainName
odutil show nodenames
Even if I disconnect the macOS machine from the AD LAN, they still show the information for about 30 minutes, like the domain controller is still accessible.
I cannot delete the whole Open Directory AD cache to make the tools to refresh the information because the cache is used by the system and the other applications. I do not want to change behavior of the whole system. I cannot kill (restart) services for that because I need to do it quite often (every 2-5 minutes).
I know I can use ldapsearch (or an LDAP C++ library) to check accessibility of an AD domain controller but my software does not have any idea about the domain controller configuration. It does not have any credentials to request the information. Also, in case of Windows API, Kerberos is used by default. In case of ldapsearch it has to be configured.
So, is there any macOS API (Objective C, C++) or any system command tool which I can use without additional configuration to check if the AD domain controller is accessible?
Related
We are encountering Kerberos and/or NTLM authentication failures in custom application packages orinally designed for Windows 7 using the WISE packaging Installer. On Windows 7 they work fine but they now fail on Windows 10. They fail both during installations on Windows 10 using the Microsoft SCCM tool, and they fail specifically when using Kerberos authentication to an SMB Share on the network durign the installation process. We can see inside the network trace that the client application fails over to NTLM from Kerberos durign the authentcation transaction. We are unsure why. We have a large scale Active Directory environment. Because the WISE package is comiled we cannot look into it. On successful Windows 7 machines, it appears the computer requires access to the Share while the package is being executed and the loggged-in user must have read and execute access on the SMB Share. We are able to access the same SMB Share using the Windows 7 system account but not when using the Windows 10 system account. Very odd! Is this a code issue inside the package? This may be important: The SMB share is using an DNS alias, not sure if this makes any difference. The real name of the host is different. When using the real name of the host instead of the alias the access issue appears to be resolved.
The network share wouldn't happen to be hosted by a non-Windows server by any chance, would it? If so, see if this article applies:
SMB file server share access is unsuccessful through DNS CNAME alias
Basically there was a change in the security model of Windows 10. Windows 10 by default won't request a Kerberos ticket for a DNS alias, but Windows 7 will. The SMB server is basically saying since you're not using my actual name (as shown by the service ticket), I won't allow the connection. Create a new SPN using the name that the successful Windows 7 machines are connecting with, but in SPN form. For example, if a Windows 7 is using something like this:
\servername.domain.com\sharename
..then find that name of the AD computer object representing the host and add a secondary SPN to that AD object like so:
HOST/servername.domain.com
I wrote a small application which needs access to Google API with OAuth2 and which is typically run on maybe a Raspberry Pie to reduce power consumption since it needs to run pretty much 24/7. The device my application runs on is typically connected a LAN at home.
The user controls the application using a web interface from a PC/Tablet/... in the same network. However the web application is reachable from the LAN only, it cannot (and should not for security reasons) be accessed over the Internet, because it hides behind a NAT and/or a firewall.
The documentation states that I have the following options:
Web server applications
This forces me to use a redirect URL which must be known in advance. Since my app is most likely accessed by a dynamic private IP address, there is no way I know the URL in advance.
Installed applications
Yes, that would work. I just need people to copy and paste the returned code into a web form of mine. However that is somewhat uncool.
Client-side (JavaScript) applications
This does not give me a refresh token which I totally need.
Applications on limited-input devices
Polling? Well... If it works... However it requires the user to match a code shown on the device with a code displayed in the webbrowser. If I use that I can just as well ask the user to copy&paste the code returned by the installed app mode.
As far as I can see the copy&paste the code with installed app is my best chance. Is it really? Or is there is possibility to get along without that bit?
We are currently planning to develop a suite of Windows Store Apps. They are independent and fully work alone, but they are related and act in concert. If a user has several of them, they should share some of their settings (and data), so that the user does not have to manually change these settings in every single one of them.
Is such a scenario even intented?
And how to implement it?
Registry: Does not work. Apps cannot access the registry.
ApplicationData (LocalFolder, LocalSettings etc.): Does not work. Apps cannot access the data of other apps.
Cloud services: Kind of works, but only when the machine is online. Our apps should work offline, too. And we would need to create/rent such a cloud service, which would cause additional costs.
KnownFolder.DocumentsLibrary: This –currently– looks like the only solution to me. The apps are already saving and sharing data there, so let's just save our settings there, too. But the name of the shared folder is one of the settings! And Windows Store Apps cannot create hidden files, so the user can see the settings file. This makes this solution a bit... "rough".
Any other ideas or additional information I have missed?
If you want them to sync with each other instantly, even when the device is offline, then that's your only option. Windows 8 Apps are not intended to share settings.
So much want of sharing.
Roaming API will only share with the SAME app, the SAME user, ANY W8 device.
SkyDrive will only share across ANY app, the SAME user, ANY device.
Using Azure (or any web service) will share across ANY app, ANY user, ANY device.
Don't do this
Don't use the register, the API is not supported
Don't use the file system, the boundaries cause your app to be brittle
Don't use ApplicationData.AnyFolder, this is restricted to a single app GUID
You had might as well get "instant" out of your language, man. That just doesn't happen. But you can have fast (let's call it near instant); you can use Sockets or SignalR to connect your client to some service out there with nearly instant responses. A less sophisticated approach would be to poll from your client, too. It has served developers for decades.
I'm looking for a way to allow potential customers to try my application before they buy it.
The product is a windows forms application that requires an SQL Server database to operate.
Although I have a functional demo that the customer can install on their network, I want to make it easier for them by have them "play" with it at my environment.
I remember Microsoft had (has?) something similar. I was testing Visual Studio a few years ago in a virtual environment where I was connecting to a server at Microsoft.
They setup the environment this way so when a user logs off after using it rollback his actions. Or to explain it better: when a user logins it starts with a new, clean environment.
So any projects I've created testing Visual Studio were lost after I logged off.
Any suggestions?
Thanks.
Some solutions that come to mind:
Provide remote access
You could provide access to a running instance of your application via some sort of remote connection protocol, e.g. via RDP or via VNC.
For example, there is a Java VNC client which can run as a Java applet; you could put that on a webpage and have it connect to a VNC session you host on your servers.
Or use Windows Terminal Server, and allow connection via RDP.
Both solutions of course have the drawback that people need to open the appropriate ports, if they are behind a firewall. There might be ways around that, however (e.g. you can run VNC over HTTP).
VM image
A completely different solution: Provide a ready-to-run VM image (for VMWare, VirtualBox or similar) of your application, including server and everything. You would need a demo version of your app though, plus getting redistribution rights for all the proprietary components (Windows OS, SQL server) might get hairy.
Offer videos
Often people do not really need to actually use the app; they are mainly interested to see how it works. So maybe it is enough to host videos of the app in operation. That allows you to put in some advertising for your features, and lets you show the users what they might miss when testing on their own.
I'm helping a typical small company that started with a couple of outsourced systems (google apps, svn/trac). added an internal jabber server (ejabber for mostly iChat clients). subscribes to a couple of webservices (e.g. highrisehq). and has a vpn service provided by a pfsense freebsd firewall.
And the net result of all this is that they're drowning in passwords and accounts.
It seems that if they had a single unified login / single signon service they could go a long way to combining these. E.g.: ldap as the master repository, radius linked to it for vpn, ejabber and even WPA2 wireless access, plugins for google app sign on, and perhaps an openid server for external websites like highrisehq.
It seems that all these tools exist separately, but does anyone know of a single box that combines them with a nice GUI and auto-updates? (e.g. like pfsense/m0n0wall for firewalls, freeNAS for storage). It doesn't have to be FOSS. A paid box would be fine too.
I figure this must exist. Microsoft's Active Directory is likely one solution but they'd rather avoid Windows if possible. There seem to be various "AAA" servers that ISPs use or for enterprise firewall/router management, but that doesn't seem quite right.
Any obvious solutions I'm missing? Thanks!
It's been over a year since you originaly asked the question, so I'm guessing you've solved your problem by now. But if someone else is interested in a possible solution I suggest the following:
First of all, I don't know of any "all in one" solution to your problem. However it's quite easy to combine three products that will solve all of your needs and provide a single source for User management and password storage.
The first thing to do is install an LDAP Directory to manage Users and Groups (and possibly other objects outside the scope of your question). This can be OpenLDAP, Apache DS, Microsoft Active Directory, etc. Basically any LDAP Server will do.
Second I recommend installing FreeRADIUS with the LDAP Directory configured as it's backend Service.
Third get a license of Atlassian Crowd. It provides OpenID and Google Apps authentication. Prices for up to 50 Users start at $10 and go all the way up to $8000 for an unlimited user license.
Installation and Configuration of the three is relatively easy. You'll probably put most work into creating your Users and Groups. You can install all three components on a single Server and end up with a box that allows you to authenticate pretty much everything from Desktop Login, over Google Apps and other Web Apps, down to VPN and even Switch, WiFi and Router Login.
Just make sure you configure your Roles and Groups wisely! Otherwise you might end up with some Sales Person being able to do administration on your Firewalls and Routers :-)
I would encourage anyone searching for this type of solution to check out the Gluu Server (http://gluu.org).
Each Gluu Server includes a SAML IDP for SAML SSO, an OpenID Connect Provider (OP) for OpenID Connect SSO, an UMA Policy Decision Point (PDP) for web access management, and a RADIUS and LDAP server.
All the components of the Gluu Server are open source (i.e. Shibboleth, OX, FreeRADIUS, OpenDJ, etc.), including the oxTrust web user interface for managing each component of the server.
For commercial implementations, Gluu will build, support, and monitor this stack of software on a clients VM.
You may not want to standardise passwords across so many apps (especially external ones), though for internal ones using an auth service like LDAP makes sense.
You could solve the issue of remembering passwords with an eSSO like Novell SecureLogin
Also you might be interested in Novell Access Manager and Novell Identity Manager
I too could use such a device, however the only one I could find was a (possibly outdated) data sheet from Infoblox. They seem to have since concentrated on automated network managment and I can't find the LDAP appliance on their current website. I guess building a linux box with the FOSS stuff mentioned above is what everyone does, but it would be great not to have power supplies, disks, fans etc. I suppose you could use something like an EEE PC and put the config on a flash card.
This is something I was looking for as well, and http://www.turnkeylinux.org/openldap looks like the solution: "appliance" installation, and it includes encrypted online backup which is easily restored to a new or replacement machine.