What is the right syntax for using + and * with NETSH HTTP ADD URLACL?
I am aware of the following Microsoft article, but I just can not find a way that this works for my case:
https://msdn.microsoft.com/en-us/library/aa364698(v=vs.85).aspx
What I would like to achieve is to enable only certain user (this is not problem) to be able to listen on specified URL but using this wildcards.
In general this user is used for service account. So I want to avoid executing additional netsh http add urlacl url=X://mynewUrl.net:1234/ user=MyUser (local user), when my service needs to support additional URL
What I would like to is something like is to execute something like this once that will cover my cases, of course I will use the same TCP/IP port always:
netsh http add urlacl url=https://+:1234/ user=MyUser
or with *
So when I add additional URL () that my service need to support I do not need to execute netsh each time.
I want to be able to use IP addresses as well.
I tried many different combinations, but without success. When I try to run the service I get access denied.
Just as a note, Netsh http behaves the same as API from httpapi.dll, so I guess it actually uses httpapi.dll. I'm also using PlatformInvoke to this library and having exact the same behaviour.
Another note is that I'm using Windows 10 and Windows Server 2012/2012 R2.
Any ideas how can I solve this, so I not need to add new reservations whenever I want to support additional URL for my service?
Using the netsh with the SDDL agrument should get you what you need:
netsh http add urlacl url=http://+:1234/ sddl=D:(A;;GA;;;<process owner sid>)
To get your user sid:
whoami /user
If you're unsure if the owner is your user for the process this oneliner will help:
Get-WmiObject -Class Win32_Process -Filter 'Name = "powershell.exe"' | % { $_.GetOwner() } | % { (New-Object System.Security.Principal.NTAccount($_.Domain + "\" + $_.User)).Translate([System.Security.Principal.SecurityIdentifier]).Value }
Related
Changing the port by changing the offset in the deployment.toml or using -DportOffset doesn't get applied to the Console and the My Account applications.
How to reproduce:
Change the offset by adding the following config to the deployment.toml
[server]
offset=2
Start the server
Access the console app from https://localhost:9445/console
Access the my account app from https://localhost:9445/myaccount
Following error is displayed.
Observed, that the reason is that the callback URL is not changed when the hostname or port is changed. Even changing the URLs manually from the management console is not allowed.
What is the recommendation to get Myaccount and Console apps working when hostname or port is changed?
An approach is to manually change the callback URL of the Myaccount and Console apps accordingly when a port or hostname change is done in the server, by removing these applications from the system applications list.
Steps:
Change hostname or port of the server
Remove Myaccount and Console apps from read only system apps by adding the following to the deployment.toml
[system_applications]
read_only_apps = []
Restart the server
Update callback URL of the myaccount and console apps from the management console accordingly.
Change the issuer URI of the Resident IDP accordingly.
These applications can be hosted externally. In that case the callback URLs can have different hostnames and ports.
Thus, it is not good to change the callback URLs automatically. So, the manual option is Aysh pointed in the above comment is the recommended approach ATM.
So right now I am trying to see the information that comes out of the following command in to command prompt (cmd):
netsh advfirewall firewall show rule name="TestFirewallUpdateSettings" profile=any
The output I get is:
Rule Name: TestFirewallUpdateSettings
----------------------------------------------------------------------
Enabled: Yes Direction:
In Profiles: Domain,Private,Public
Grouping: LocalIP: Any RemoteIP:
Any Protocol: Any Edge traversal:
No Action: Allow
What I want is to just read the In Profiles section using vb.net and wondering if there is a API that will do what I am asking for?
Yes, there is. You could go and create your own interop assembly in order to access the objects - INetFwPolicy2 in particular - in the system's COM based FirewallApi.dll. Check this SO thread for details. I did this in the past (Windows 7) and it worked like a charm.
Also, there is a WMI name space - ROOT\SecurityCenter2 - which is supposed to provide info about firewall amongst other things. However it wasn't well documented and I failed to enumerate it through C# although I can see it through various WMI browser tools.
You can also check the new Microsoft.TeamFoundation.Build.Common.INetFwPolicy2. It seems to do the same job as the manually created interop assembly.
I have a problem of authentication on a vanilla CRM2013 installed on a NLB. The crm 2013 is working correctly if i use the ip address of the NLB, but if i try to access the NLB using is unique name, it's prompting for credentials and is not authenticating the user (the user is the one that i used for the setup process). Anyone has ever seen something like this? I try to fiddler the request and beside a small difference in a cookie request in the header to me they look the same. Also if i ping the unique name of the NLB it responds with the correct ip address.
The last test that i did was add the name in the host file, and i had the same problem (no authentication), looks like is managing to get to the server but it fails to authenticate. I tried to use localhost address and it worked (on both the single servers), and it worked with the name of the 2 servers that are part of my cluster, it worked with the ip of those servers too. Anyone has any idea why with the ip address of the NLB everything is working as i expect and as soon as I use the name is not working?
Recap:
Address |Status
-------------------------
CRM1.com |working
192.168.1.CRM1 |working
CRM2.com |working
192.168.1.CRM2 |working
192.168.1.NLB |working
NLB.com |not working
Obviously this is sample data, and I know that with the single server i will not use the NLB, I was expecting to have issues with both the Ip and the servername, not with just one of them.
I found out the reason is not working. When you install behind a NLB you need to change some parameters in iss. Since I'm not very good at managing it in the config editor you need to change the section, and update 2 keyvalues from false to true. Step 2-10 of this guide http://blogs.msdn.com/b/niran_belliappa/archive/2014/02/17/network-load-balancing-microsoft-dynamics-crm-2013.aspx
I'm having issues with using the following format using WinSCP
open sftp://user:password#site.com
vs. this, which works with the console and GUI:
open sftp.site.com.
I would like to automate logging in through the command line but when I try with sftp://user:password#site.com I get a timeout.
Any ideas?
It works fine for me both ways. Is the problem that you are using site.com instead of sftp.site.com in your first example?
Just because you specify the protocol sftp, doesn't mean it will attempt to connect to sftp.site.com when you provide site.com as the host. You still need the full hostname, the sftp:// just tells it what protocol you want to speak once connected.
I have followed your test app example from this video. I have also created the ACL for port 8085 using below command. (with Mydomain and myusracc being my work domain and user account)
netsh http add urlacl url=http://+:8085/ user=<mydomain>\<myusracc>
When I run the solution in debug mode, I'm getting below error:
There was no endpoint listening at http://localhost:8085/phoneAutomation/automate that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
I tried executing the SpecFlow scenarios, I get below exception:
App not alive - ping failed
Expected: True
But was: False
I ran the command to see which ports are lisening, (netstat -an |find /i "listening") and couldn't find 8085
If I ran the netsh command again to create the ACL, I get a message saying URL is already there and is listed as follows:
Reserved URL : http://+:8085/
User: <mydomain>\<myusername>
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-21-xxxxxxxxxxxx-xxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxxx)
I has the same questions and what I have found about second question: manual at GitHub isn't correct in example part and I use their examples from source code - they work fine.
Try to change your SpecFlow feature to something like:
Feature: MainPage
In order to test my app
As a WP7 Developer
I want to see it start and take a picture of it
Scenario: Main Page loads after a few seconds
Given my app is clean installed and running
Then take a picture