I'm working on an app in my company office environment. My server environment is such that I have two servers, Server A consist of all the data, and Server B consist of only the API parameters.
When calling from external environment, I will type something like "http://115.36.45.8:Portno/api/Data/GetData" to enter Server B on Google Chrome, so as retrieve the information i want. Whenever I test from external environment, I uses my own mobile data instead of the office internal data network.
When I type my internal Ip address to test, the API seems working okay. I type something like this
http://192.168.52.2:Portno/api/Data/GetData. The information that I would like to retrieve was beautifully presented to me in the Chrome.
However, when I type the external address,"http://115.36.45.8:Portno/api/Data/GetData", this doesn't happen. No data. Chrome reflects, Error diconnect.
I did the following troubleshooting:
a) I asked my vendor to check the port whether it is open. Vendor telnet and it sure was working. In fact if it doesn't work, I probably won't get any data retrieve from internet address (http://192.168.52.2:Portno/api/Data/GetData).
b) I use my mobile phone my laptop using external data, I asked different vendor to try access, all couldn't enter from external environment.
c) My infra team, also checked that there is no firewall or Antivirus that may have blocked the path since telnet works.
Anyone can advise what can I do to find out why external environment cannot access my api? Appreciate it.
Related
I have a simple VB.net console application that displays the current user, waits for key input, and then exits. It uses the following call to display the information:
System.Security.Principal.WindowsIdentity.GetCurrent.Name.ToString()
If I create a remote app hosting this application, and create an azure user that has rights to run the remote app such as;
thisisa#test.onmicrosoft.com
When this user connects to the remote app the output of the line of code above would look something like;
YLSDAAYU0007\thisisa_000
Is there anyway of reading the user running the remoteapp at the time? in this case, I am looking to obtain thisisa#test.onmicrosoft.com ?
Catalin from the RemoteApp team here. You have stumbled across one of our implementation details here :)
Windows does not allow automatic login with Azure Active Directory (AAD) users: they only allow users that have Microsoft Accounts or domain accounts in case the collection is domain joined. We are working around this limitation by creating a local user on the VM and logging in with that user instead of the AAD user.
If you have any more questions about this, feel free to contact me: catalda @ microsoft com
Good Day All,
We have a component service which runs on remote domain computer. I am very much a newbie for this sort of Vb automation. Although I could not find a code to assist finding if the component service is runnning or not, I did notice that this particular Component Service runs as "dllhost.exe" process against a username which we specify under the Identity tab of Properties.
However, there may be other "dllhost.exe" processes running on same machine and hence I am looking for some sample VB Net code that will retun if my Component Service is Running or Not; by supplying the remote machine name, "dllhost.exe" as the process name and the User Name.
Any suggestions / tips are welcome.
Good day.
I am developing a program that will be used in a corporate environment by the end users. The application will automatically fix certain errors as soon as the user selects the application name, chooses the symptom or error message and clicking on the fix button.
The idea behind is to decrease the amount of calls we receive at the IT Service Desk (The company's personal Call Centre for IT Issues) and at the same time assist the end user by resolving the issue within a minute (versus waiting on the phone for up to 15 minutes or more).
I've am not yet allowed to upload an image of the application, but imagine a small'ish windows form with 2 columns; Aplication name and Synptom. The user will choose the application's name, click on the error message and click on the FIX button. This basically automates whatever we has IT Techs would manually.
The problem I'm facing is that some of the code is supposed to be executed with adminsitartor rights, eg. Stop and Start a given service, adding regsitry entries for Local Machine, etc.
Given the fact that none of the users will be allowed to have elevated rights and the fact that they need to use this application as a sort of "self-help" alternative without the need to call the IT Service Desk, is there a way to give a set of code "administrator permissions"? The application should NOT request the user to enter ANY passwords.
Regards,
Willem
No way, AFAIK: the model in common operating systems is process-centric, so that the process is given permissions that are then inherited by its code. You can elevate such privileges at some point, but that will be for the whole future life of the process (or as long as the authentication token for it ceases to be valid).
In windows the right way to do that is to employ a back-end service: at boot, you start the service called IT_Auto_Fixer_Back_End with high permissions (try to avoid Administrator, NetworkService or LocalService could be enough for you). When the app IT_Auto_Fixer_Front_End is started with USER privileges, it operates until it needs something with high privileges. At that point it sends a request to the service, that will do it.
If you choose this way, some important advices:
The IT_Auto_Fixer_Back_End must not become a backdoor! If you use TCP as form of communication with IT_Auto_Fixer_Front_End, make it listen localhost only and use SSL (yes!) to encrypt local traffic
It must not be possible to invoke arbitrary commands using IT_Auto_Fixer_Back_End. You need to enumerate the possible requests that could be made (i.e. a command like stop_mysql_service rather than accepting directly the string net stop mysql - the application logic will translate your string into the real OS command)
Every input from the user could be used to perform command injection. To prevent this, use the Windows API that requires an array for the command - this way if the user adds options to a command (i.e. the name of the service in net stop) they won't be interpreted as another command (common scenario: when accepting the name of the service as a parameter, a malicious user that tries to execute something like net start mysql ; net user /add hacker t00E4sy). Authentication and encryption will not help you against this, you must escape any user input that goes inside the command.
Sanitize your ENVIRONMENT by using the API that executes commands setting the PATH (and other relevant variables), so that the user will not be able to taint the PATH, executing C:\temp\net.exe instead of C:\Windows\System32\Net.exe
IT_Auto_Fixer_Back_End service should be authenticated: it should check every time if the request comes form the user by checking if the Kerberos token is valid (Windows => you get a very nice Kerberos environment for free!). This will prevent someone else to break into the machine, use SSL to connect to the localhost port and elevate privileges through your service
The above (authentication) still stands when something else (i.e. shared memory, windows sockets, a file, etc...) is used as communication channel between IT_Auto_Fixer_Back_End and IT_Auto_Fixer_Front_End
Life gets harder when you want to properly implement something dealing with multiple level of permissions...
I've searched Google for days, but cannot come up with any answers. A week ago, we did a server migration. We have a clustered environment where the following code works on one server, but not the other (and I cannot get it to work on my local machine for our non-clustered development environment):
rootDSE = New DirectoryEntry("LDAP://nonfullyqualifieddomain/RootDSE")
If I try the above, I get the generic error mentioned in the question title (Again, it works on one of the servers, but not the other).
However, when I do this the DirectoryEntry object is instantiated:
rootDSE = New DirectoryEntry("LDAP://fully.qualified.domain", adUserId, adPassword, AuthenticationTypes.Secure)
Based on what I see online, my best guess is that it has something to do with permissions or configurations, but I'm not familiar with the server administration side of the application. Any suggestions would be appreciated!
Every time I've got the "Server not operational" in one of the infrastructure I worked on, it was because I was trying to connect an LDAP server on a bad adress. This was due to :
Bad DNS resolution
Bad Netbios resolution
Firewall filtering
My advice it to use DNS resolution for production and test environment, and to use direct IP adress for development environment.
Be sure 389 (or 636) port is binded on the adress you use and you can connect to it. On Windows Server 2008 LDP.EXE is a good tool to test LDAP connexion (present in W2K3 ressource kit). On development computer I use Apache Directory Studio which is also a good tool to test Directory connectivity and content.
I have come across the same error in one of our legacy applications. This is a memory leak issue. To work around this, I made sure that the code was disposing of the Directory entry once done using it. Something like:
using (System.DirectoryServices.DirectoryEntry OUEntry
= new DirectoryEntry(domain, userName, userPassword))
{
// your code here
}
Under normal circumstances, a VB.NET application of mine can check the ClientName environmental variable to get the name of the workstation the user is connecting from.
So when WorkstationX RDPs into ServerA:
ComputerName=ServerA
ClientName=WorkstationX
That works fine.
If I right-click on the application and choose Run As Administrator, the ClientName variable is not set.
Does anyone know of a way of easily getting the workstation name of the client connected to the terminal server, even when the application is launched via "Run As Administrator"?
If you don't want to deal with the P/Invoke business yourself, you can use Cassia, which wraps it for you:
New Cassia.TerminalServicesManager().CurrentSession.ClientName
The terminal services API might be your answer. I use it in a VB.NET app to log off user sessions on a given server, and to retrieve the names of the workstations connected to those sessions. The code I have has a lot of p-invoke stuff and is rather unwieldy, but I can post it if you want.