''I am using the WinNT ADSI provider in a bit of authentication code, which looks up the user from Active Directory and checks its group membership.
We have run in to an issue getting this working for cross domain access. We followed the steps outlined here (https://support.microsoft.com/kb/241737?wa=wsignin1.0) to set up a Cross-Reference to an External Domain in Active Directory. This should be all that is required to allow WinNT to find the users.
When the code is run we only ever find one object under the domain (in the loop below) - "Schema". This is not correct - there are MANY child objects.
This problem seems to be intermittent - the same system did not have this issue a month ago. I realise this will be hard to investigate but someone who has a better understanding of ADSI may know better.
The below code illustrates the problem:
Dim objUser
Dim sUserName
Set ns = GetObject("WinNT://DOMAINNAME")
msgbox "Found " & ns.AdsPath & " (" & ns.Class &")" ' Shown
'ns.Filter = Array("User") ' Commented to show ALL objects
For Each UserObj in ns
Dim UserName
UserName = UserObj.Name & " " & UserObj.Class ' Returns "Schema Schema"
msgbox UserName
Next
This solution works but I'd like to point out why. After hours of trying to determine what the importance of the dns suffix on NetBIOS resolution for the WinNT provider, I found that the client makes a call to the local domain controller first to do an LSA_LookupNames call for the NetBIOS name and it gets back a domain controller in the remote domain/forest to go to which is responsible for that NetBIOS name. Subsequent to that lookup, it attempts to connect to the domain controller that was returned - but the name of the server is the simple host or NetBIOS name! So, it has to look that up and it uses DNS for that, trying suffixes in the order prescribed in the network config of the client. So, the domain is being translated properly by the local AD domain as part of the lookup but the client can't figure out how to get to that DC because LSA_LookupNames doesn't return an FQDN, just a hostname.
Hopefully this will save others the time I burned searching - sometimes it pays to just break down and open wireshark.
The solution was to ensure that the local computer, that the query was being run from, had a DNS suffix for the remote domain
Related
I am writing a .NET Console application, our goal is keep a message on the queue and read the message. the message header should contain User Name & Password. I try to pass the Message with below code it is not working.
hashTable.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_CLIENT);
hashTable.Add(MQC.HOST_NAME_PROPERTY, strServerName);
hashTable.Add(MQC.CHANNEL_PROPERTY, strChannelName);
hashTable.Add(MQC.PORT_PROPERTY, 1414);
hashTable.Add(MQC.USER_ID_PROPERTY, "XXXXXX");
hashTable.Add(MQC.PASSWORD_PROPERTY, "XXXXXX");
hashTable.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
queueManager = new MQQueueManager(strQueueManagerName,hashTable);
queue = queueManager.AccessQueue(requestQueue, MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING);
requestMessage = new MQMessage();
requestMessage.WriteString(StrAPICMessage);
requestMessage.Format = MQC.MQFMT_STRING;
requestMessage.MessageType = MQC.MQMT_REQUEST;
requestMessage.Report = MQC.MQRO_COPY_MSG_ID_TO_CORREL_ID;
requestMessage.ReplyToQueueName = responseQueue;
requestMessage.ReplyToQueueManagerName = strQueueManagerName;
queuePutMessageOptions = new MQPutMessageOptions();
queue.Put(requestMessage, queuePutMessageOptions);
In the Message Descriptor it is taking the default value mentioned MQ Server. it is not takeing my UserName "XXXXX"
I have tried using the CSICS Bridge header also unable to send the message with my application Service account + Password.
help me on this scenario.
See "MQCSP authentication mode" here: https://www.ibm.com/docs/en/ibm-mq/latest?topic=authentication-connection-java-client
It says:
In this mode, the client-side user ID is sent as well as the user ID and password to be authenticated, so you are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure that is provided in the MQCXP structure.
"client-side user ID" means the UserId that the application is running under. Therefore, if you are authenticating with a different UserId than the one that the application is running under.
Therefore, you (or your MQAdmin) will need to change ADOPTCTX to YES.
Your program works fine for me, when I fill in the correct values for my qmgr connection.
Except for one change I made: instead of TRANSPORT_MQSERIES_CLIENT I used TRANSPORT_MQSERIES_MANAGED. That keeps everything in the managed .Net space.
Without that change, I was actually getting MQRC_UNSUPPORTED_FUNCTION during the connection which typically means either some kind of mismatch between versions of interfaces, or it couldn't find the C dll that underpins the unmanaged environment. And I wasn't going to take time to dig into that further.
Running amqsbcg against the output queue, I see
UserIdentifier : 'mqguest '
which is the id I had set in the USER_ID_PROPERTY.
Can someone please help me get this right. I've been trying for days and just can't do it.
This is what mail chimp is asking me to do.
Set a TXT (SPF) record for averyburch.com to:
v=spf1 include:servers.mcsv.net ?all
Set the CNAME record for k1._domainkey.averyburch.com to:
dkim.mcsv.net
So I have entered the following in my bluehost DNS zone editor. But it's not authenticating. I've waited 48 hours.
CNAME
k1._domainkey points to dkim.mcsv.net
TXT
# txt value is: v=spf1 a mx ptr include:bluehost.com include:servers.mcsv.net ?all
I did enter exactly k1._domainkey.averyburch.com but the control panel seems to change it to k1._domainkey. Everything in the spf record is the bluehost default setting apart from include:servers.mcsv.net which i added.
Can someone please tell me what I'm messing up. I'm not experienced with this. Thanks so much.
This is instructions I followed from someone else on another forum that worked perfectly the first time:
Hey all,
I have been looking into this because of wanting to use DKIM support
for MailChimp emails. Most of this stuff is above my pay grade, but I
was able to successfully set up DKIM. Here's how it went:
Here are the instructions from MailChimp:
DKIM: Create a CNAME record for k1._domainkey.[example.com] with this
value: dkim.mcsv.net
SPF: Create a TXT record for [example.com] with: v=spf1
include:servers.mcsv.net ?all
I then logged into my Bluehost account: cPanel -> DNS Zone Editor
I chose the domain I wanted in the dropdown menu and filled out the
following:
Host Record: k1._domainkey.[example.com] TTL: 14400 (the default)
Type: CNAME Points To: dkim.mcsv.net
Then I clicked "Add Record," and it added successfully.
Then I filled out another entry:
Host Record: [example.com] TTL: 14400 (the default) Type: TXT Points
To: v=spf1 include:servers.mcsv.net ?all**
"Add Record," and it was all set. Both entries showed up in the list
below.
I was able to use this methods for two domains, and MailChimp verified
that it went through, and they have authenticated DKIM and SPF
records.
Hope that helps. Thanks for the thread.
So there are a couple of issues that are immediately apparent:
The DKIM key is malformed. Looking at the DNS the key record is "k=rsa; p=MIGfMA0GCSqG...". That's missing the initial prefix. It should be "v=DKIM1;k=rsa;p=MIGfMA0GCSqG...". Ideally if you fix that, DKIM signatures will start working
The SPF record you've got in place exceeds the allowed domain lookup limit of 10. You can see some info here - https://dmarcian.com/spf-survey/averyburch.com . Solving this for situations like yours is non-trivial. (Full disclosure, my company ValiMail is about to roll out tech to address a number of common email authentication issues, including this one).
For the moment, assuming DKIM starts working, I wouldn't worry too much about the SPF issue.
Make the DKIM change noted above, and see if that at least gets DKIM authentication working. If you want some visibility, you may also want to add a DMARC record so you can see whether email is authenticating or failing.
I have a bit specific problem. One of the websites I am taking care of runs on ASP and obtains form, whose results are e-mailed to specific address.
For this to achieve, JMail component is used. As long as e-mail was sent locally (let say to user#clientserver.com through mailserver mail.clientserver.com), there was no problem and no need for authentication. However I recently got request to add another address to copy(copy#differentserver.com) and that's when problem occurred.
Firstly I tried adding authentication, however same error still occurred, when without:
jmail.Message error '8000ffff'
The message was undeliverable. All servers failed to receive the message
I tried google solutions, temper with some valuables. I am sure user and pass are correct, mail server address also worked when I wasn't try to sent mail with authentication.
Since I prefer PHP, my knowledge and skill with ASP are not of the bests. Have someone experienced something similar and solved it? Or does anyone know some other solution?
The code, which is used for sending mail:
set msg = Server.CreateOBject( "JMail.Message" )
msg.Charset = "windows-1250"
msg.Logging = true
msg.From= "from#mail.com"
msg.FromName= name&" - "&mail
'those should care of smtp auth
msg.MailServerUserName = "smtpuser#localmailserver.com"
msg.MailServerPassword = "smtppass"
'local mail address
msg.AddRecipient "user#localmailserver.com"
'outside mail address
msg.AddRecipient "address#differentmail.com"
msg.Subject = "Some subject"
msg.Body = "Some text"
if not msg.Send( "mail.localmailserver.com" ) then
Response.write "<pre>" & msg.log & "</pre>"
else
'Succesfully sent, redirect
Response.Redirect("mailjob_sent.asp")
end if
So the problem is solved at last. After help with analysis by my colleagues responsible for local mailserver, we found out, the problem was username for SMTP authentification.
I got confused, since it wasn't smtpuser#localmailserver.com (I'm referring to example I made), but
smtpuser#localdomainname.com.
So advice for others with similar problem, try to add testing account(one you are using for authentification) to your e-mail client(i.e. Thunderbird) and once that is allright, you have right credentials. Also try sending mail from that account elsewhere.
I have a VB.Net Application that authenticates using the current Windows User without asking for the password. It checks that this user is a member of "MYDOMAIN\ApplicationUsers" before it starts up.
How to check if this is the real domain and not a different one using the same name? Are there any certs or public keys to validate locally? I'd prefer to check this offline, without a third party machine or database etc.
In the System.DirectoryServices.ActiveDirectory Namespace are some Trust an Validate methods but they only seem to check inter domain trust and using a domain name only.
Your problem is that you are using strings and strings like mydomain/application users are not unique across domains. One possibility is to use the SID of the application users group in your expected domain instead of the name. Then you can check the SID of the group to make sure it matches the sid for the expected application users group at run time before checking membership. It would be much harder for a malicious user to spoof domain and group parts of the Sid then the domain and group name.
Ultimately if you are running code on a machine that is owned by the malicious user then this just raises the bar and they could still circumvent this check.
I made some example code which checks the group's SID as Mike suggested. You just need to put your group's SID in the constructor of the SecurityIdentifier class to make the check work against the currently logged on user.
Private Sub DoCheck()
Dim sid As New Security.Principal.SecurityIdentifier("S-0-0-00-0000000000-0000000000-0000000000-000"),
result As Boolean
result = IsUserInGroup(sid)
End Sub
Public Shared Function IsUserInGroup(sid As Security.Principal.SecurityIdentifier) As Boolean
Dim user As UserPrincipal
user = UserPrincipal.Current
For Each group As Principal In user.GetGroups()
If group.Sid.Equals(sid) Then Return True
Next
Return False
End Function
To make the code work you need to import System.DirectoryServices.AccountManagement:
Imports System.DirectoryServices.AccountManagement
This namespace is located in Microsoft's System.DirectoryServices.AccountManagement.dll which is available since .Net 4.0 I believe.
In VB.Net, I'm trying to connect to WMI on my local computer with different credentials (the user won't have admin rights) and I get this exception :
« User credentials cannot be used for local connections »
Here's the code :
Dim path As ManagementPath = Nothing
Dim options As ConnectionOptions = Nothing
Dim scope As ManagementScope = Nothing
path = New ManagementPath("\\" & vServerName & "\root\CIMV2")
options = New ConnectionOptions
options.Username = vUsername
options.Password = vPassword
Scope = New ManagementScope(path, options)
Scope.Connect()
I know this question is old, but I tried the above steps and it didn't work. What I found to work was this:
https://web.archive.org/web/20150213044821/http://www.manageengine.com/network-monitoring/help/troubleshoot_opmanager/troubleshoot_wmi.html
80041064 - User credentials cannot be used for local connections
Cause
This error is encountered when you specify the Username and password for monitoring the machine where OpManager is running.
Solution
Do not specify Username and password for the localhost. To resolve the issue, remove the configured user name and password from "Passwords" link in the device snapshot page.
You don't have access to some wmi instances when a user without administrator privileges is currently logged in. (This is only applied to Local WMI connections)
MSDN reference on the topic
It's pretty lame! But if you can run your application as a user which is a member of administrators group, then you're problem should be solved.
Added note:
If you write a windows service with **local system** user, then you'll have full access to all wmi classes.
note: I've tried to grant my limited user the proper permissions to access desired wmi actions, but it seems it doesn't work that way. In this case, you'll have to set the permissions in these 3 places:
Start->Run->dcmoncnfg->Component Services->Computers->My Computer->Properties->COM security tab
Start->Run->dcmoncnfg->Component Services->Computers->My Computer->DCOM Config->Windows Management and Instrumention->Properties->Security tab
Start->Run->wmimgmt.msc->WMI Control(Local)->Properties->Root(just highlight)->Security tab
enter the wmic prompt by typing wmic and then enter. Then type:
/user:""
This will null the user it's trying to run the commands as. You might have to do something similar with password, I dunno.