I am developing a routine that imports data from a 3rd party SFTP server. This server uses WinSCP to create the SFTP Connection and uses a SSH Private Key for the connection rather than a username and password. So I create my connection as below in a script task:
SessionOptions sessionOptions = new SessionOptions
{
Protocol = Protocol.Sftp,
HostName = ftpSite,
UserName = username,
Password = password,
SshHostKeyFingerprint = sshKey,
SshPrivateKeyPassphrase = "mypassword",
SshPrivateKeyPath = #"C:\path\to\private.ppk"
};
I'm happy enough storing the Private Key Path in a database table (which contains my connectoin settings) but I want to store the SshPrivateKeyPassphrase somehwere that is encrypted. I was initially thinking can I create an Encrypted Variable, so if you look at the xml of the package, it won't expose the password directly, but I can reference the variable in code to pass the password to the connection.
I was also looking at creating a dummy Connection and see if I can refer to the connection and get the password in the code, but it seems a bit of a fudge.
The solution the package is in is passworded, i'm just trying to cover all bases, so if someone gets access to the package who shouldn't, they won't get the private key passphrase as that would cause us all sorts of issues.
Related
I am writing a .NET Console application, our goal is keep a message on the queue and read the message. the message header should contain User Name & Password. I try to pass the Message with below code it is not working.
hashTable.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_CLIENT);
hashTable.Add(MQC.HOST_NAME_PROPERTY, strServerName);
hashTable.Add(MQC.CHANNEL_PROPERTY, strChannelName);
hashTable.Add(MQC.PORT_PROPERTY, 1414);
hashTable.Add(MQC.USER_ID_PROPERTY, "XXXXXX");
hashTable.Add(MQC.PASSWORD_PROPERTY, "XXXXXX");
hashTable.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
queueManager = new MQQueueManager(strQueueManagerName,hashTable);
queue = queueManager.AccessQueue(requestQueue, MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING);
requestMessage = new MQMessage();
requestMessage.WriteString(StrAPICMessage);
requestMessage.Format = MQC.MQFMT_STRING;
requestMessage.MessageType = MQC.MQMT_REQUEST;
requestMessage.Report = MQC.MQRO_COPY_MSG_ID_TO_CORREL_ID;
requestMessage.ReplyToQueueName = responseQueue;
requestMessage.ReplyToQueueManagerName = strQueueManagerName;
queuePutMessageOptions = new MQPutMessageOptions();
queue.Put(requestMessage, queuePutMessageOptions);
In the Message Descriptor it is taking the default value mentioned MQ Server. it is not takeing my UserName "XXXXX"
I have tried using the CSICS Bridge header also unable to send the message with my application Service account + Password.
help me on this scenario.
See "MQCSP authentication mode" here: https://www.ibm.com/docs/en/ibm-mq/latest?topic=authentication-connection-java-client
It says:
In this mode, the client-side user ID is sent as well as the user ID and password to be authenticated, so you are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure that is provided in the MQCXP structure.
"client-side user ID" means the UserId that the application is running under. Therefore, if you are authenticating with a different UserId than the one that the application is running under.
Therefore, you (or your MQAdmin) will need to change ADOPTCTX to YES.
Your program works fine for me, when I fill in the correct values for my qmgr connection.
Except for one change I made: instead of TRANSPORT_MQSERIES_CLIENT I used TRANSPORT_MQSERIES_MANAGED. That keeps everything in the managed .Net space.
Without that change, I was actually getting MQRC_UNSUPPORTED_FUNCTION during the connection which typically means either some kind of mismatch between versions of interfaces, or it couldn't find the C dll that underpins the unmanaged environment. And I wasn't going to take time to dig into that further.
Running amqsbcg against the output queue, I see
UserIdentifier : 'mqguest '
which is the id I had set in the USER_ID_PROPERTY.
I already read the multi-tenancy guide published, and I believe the solution I require for my app would be to create a separate DB Connection for each organization that I sign up.
My issue is that, since I'm going to be setting the connection parameter to a different name per client, I would have liked Universal Login to automatically determine the DB Connection name according to the user's email address. So, instead of the user manually providing some kind of a hint to which DB Connection I should authenticate them against, I would like to automatically determine that somehow.
Is there any way to do this?
I am assuming that you are using hosted login page. The easiest way to determine the connection based on client would be to pass the connection parameter when redirecting to /authorize endpoint. Thus, Lock will use the connection parameter passed in the URL as the connection to validate the user. For example:
https://[tenant]/authorize?
client_id=K8B5DJdStcZtUzbhaxAOzCrXNbo2kmXG&
response_type=token%20id_token&
redirect_uri=http://application_url&
scope=openid%20profile%20email%20&
connection=connection_name&state=123&nonce=345
Both auth0.js and auth0-spa-js can be used to pass the extra parameter(connection).
Second approach would be to use connectionResolver options if you are using Hosted Login Page+ Lock .
connectionResolver {Function}: When in use, provides an extensibility point to make it possible to choose which connection to use based on the username information. Has username, context, and callback as parameters. The callback expects an object like: {type: 'database', name: 'connection name'}.
var options = {
connectionResolver: function (username, context, cb) {
var domain = username.includes('#') && username.split('#')[1];
if (domain) {
// If the username is test#auth0.com, the connection used will be the `auth0.com` connection.
// Make sure you have a database connection with the name `auth0.com`.
cb({ type: 'database', name: domain });
} else {
// Use the default approach to figure it out the connection
cb(null);
}
}
}
Instead of username, you can take advantage of context object to identify the client (context.clientID) and choose the connection.
I wish to check content of one database on server where I'm able to log into by means of Windows Authentication. Sounds really simple and many examples are provided over the Internet.
I tried few examples and each fails on my machine. I suspect, that there might be problem during credentials conversion.
My code (shortened) is as follows:
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SMO")
$User=[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$credentials = Get-Credential $saUser | Select-Object *
$Pwd = $credentials.Password | ConvertFrom-SecureString
$targetConn = New-Object ('Microsoft.SqlServer.Management.Common.ServerConnection') ('myServer', $User, $Pwd)
$targetServer = New-Object ('Microsoft.SqlServer.Management.Smo.Server') $targetConn
till now there's no error message.
When I type $targetServer, I don't see any objects listed (no Databases as well).
When I tried to check $targetServer.Databases, I received:
The following exception was thrown when trying to enumerate the collection: "Failed to connect to server mmyServer."
ConvertFrom-SecureString converts a secure string into an "encrypted standard string" (a hash, which is intended to store the encrypted string in text format). So, you're providing a password hash ($Pwd) as the password argument when creating the $targetConn object, which is invalid.
You can get the plaintext password from the PSCredential object $credentials this way:
$Pwd = $credentials.GetNetworkCredential().Password
However, according to the documentation for the contructors for the ServerConnection class, you can also provide a secure string as the password argument. So it should work if you simply leave out the | ConvertFrom-SecureString, i.e.
$Pwd = $credentials.Password
That's probably a better idea, since it's a little more secure. If you use the first method to get the plaintext password, there's a possibility that the RAM location that stores the $Pwd variable will be paged out while the script is running, resulting in the plaintext password being written to the disk.
I am developing a website which will authenticate the user and change the old password with new password.
I am using WinNT string connection and setting password, without the old password check, works.
My code is as below:
'actual setting password
Dim entryD As New DirectoryEntry("WinNT://" + Environment.MachineName + ",computer")
Dim NewUser As DirectoryEntry = entryD.Children.Find(username, "user")
Dim nativeobject As Object = NewUser.NativeObject
NewUser.Invoke("SetPassword", New Object() {strPassNew})
NewUser.CommitChanges()
'setting password ends
This works fine, but authentication code is not working.
It is as below:
'authentication starts
Dim adsiPath As String
adsiPath = String.Format("WinNT://{0}/{1},user", domain, username)
Dim userEntry = New DirectoryEntry(adsiPath, username, password, AuthenticationTypes.Secure)
'Dim nativeobject1 As Object = userEntry.NativeObject
Dim newobj As ActiveDs.IADsUser = userEntry.NativeObject
authent = True
'authentication ends
This authenticates but the exception which it throws is:
logon failure: unknown username or bad password
for the first time, but if i do it again the error is:
"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
"
Which I don't want to happen... I don't want to use LDAP, I want a solution please, to authenticate the old password. Please help?
I had this error in my code where requirement was to add domain users to local admin group of a system. While testing the code after the first try I used to get "Multiple connections to a server ..." error and then I if try the code code later(an hour or so) it worked fine. After searching thru various forms I came know the we can see user logged-on to a computer using
NET SESSION /LIST
command in cmd of remote system and it appears that when we use WinNT provider it actually creates an user session with idle timeout on remote computer (there can be a situation where other programs are creating sessions) which conflicts the connection when you try for second time. So I tried deleting the previous session by
NET SESSION \\RequestingComputerName /DELETE
then I did n't got the error. If that doesn't solve the problem then the last resort is to restart the system.
In VB.Net, I'm trying to connect to WMI on my local computer with different credentials (the user won't have admin rights) and I get this exception :
« User credentials cannot be used for local connections »
Here's the code :
Dim path As ManagementPath = Nothing
Dim options As ConnectionOptions = Nothing
Dim scope As ManagementScope = Nothing
path = New ManagementPath("\\" & vServerName & "\root\CIMV2")
options = New ConnectionOptions
options.Username = vUsername
options.Password = vPassword
Scope = New ManagementScope(path, options)
Scope.Connect()
I know this question is old, but I tried the above steps and it didn't work. What I found to work was this:
https://web.archive.org/web/20150213044821/http://www.manageengine.com/network-monitoring/help/troubleshoot_opmanager/troubleshoot_wmi.html
80041064 - User credentials cannot be used for local connections
Cause
This error is encountered when you specify the Username and password for monitoring the machine where OpManager is running.
Solution
Do not specify Username and password for the localhost. To resolve the issue, remove the configured user name and password from "Passwords" link in the device snapshot page.
You don't have access to some wmi instances when a user without administrator privileges is currently logged in. (This is only applied to Local WMI connections)
MSDN reference on the topic
It's pretty lame! But if you can run your application as a user which is a member of administrators group, then you're problem should be solved.
Added note:
If you write a windows service with **local system** user, then you'll have full access to all wmi classes.
note: I've tried to grant my limited user the proper permissions to access desired wmi actions, but it seems it doesn't work that way. In this case, you'll have to set the permissions in these 3 places:
Start->Run->dcmoncnfg->Component Services->Computers->My Computer->Properties->COM security tab
Start->Run->dcmoncnfg->Component Services->Computers->My Computer->DCOM Config->Windows Management and Instrumention->Properties->Security tab
Start->Run->wmimgmt.msc->WMI Control(Local)->Properties->Root(just highlight)->Security tab
enter the wmic prompt by typing wmic and then enter. Then type:
/user:""
This will null the user it's trying to run the commands as. You might have to do something similar with password, I dunno.