Is it possible or do the clients have to use a shared access key or winauth to connect to the namespace?
Example: How do I create a namespace that I can connect to azure service bus explorer, without credentials?
Note that I mean namespace, not per queue or topics
Winauth is the preferred method for controlling access on site. Any winauth user should be able to connect and see the queues/topics, but until granted permissions on the namespace or entity (queue/table) they can't actually do anything. If you want to control access at the Namespace level, create an Active Directory group, assign users then create the namespace with that group as the manage user:
New-SBNamespace -Name MyNamespace1 -ManageUsers groupName#domain1
Read more about Service Bus for Windows Server Authentication and Authorization.
Related
I am trying to access the IBM Domino Access Services 9.0.1, which is REST based service for accessing all calendar items.
Lets say for getting calendar items for a user , i have to pass credentials of that particular user.
I don't think it is feasible to store the user credentials in the client side and pass the same while accessing those service instead will create one service account in domino server and access the service using the same service account.
Any idea how to configure in the domino side or how can i achieve accessing the calendar service without passing the credentials of the user.
Looking for similar to what we have are having like Exchange impersonation.
Thanks
Anil
It depends on what kind of application you are building. If each Notes calendar owner logs in to your application directly, it is possible to store the user credentials on the client side. Of course, your application would be responsible for securely managing the credentials. On the other hand, your application might require access to each calendar without directly involving the calendar owner. This can be the case for server-side applications.
Your question doesn't specify, so I'll assume yours is the second situation. In that case, you could create a user identity for your application and then add that identity to the Access Control List (ACL) for each mail file. There are two ways to modify the ACL: 1) You can change the design of the master template and let the design propagate to individual mail files, or 2) You can ask each user to delegate access to your application's identity.
The bottom line is the Domino calendar service acts on behalf of the authenticated web user. If that's the calendar owner, the calendar service will have full access to the calendar. If the web user is some other identity, access will be limited to the rights granted in the ACL. For more information about the ACL see this tutorial.
Hi i am learning to create a windows service i searched a lot and did not get a clear understanding of the Account property in the ServiceProcessInstaller Class can anybody please explain what is the difference between
1.User
2.LocasService etc..
The ServiceAccount Enumeration page on MSDN has a table that describes each account.
It is best practice to use an account with the lowest privileges that is appropriate to the functionality of your service. Normally that means using the LocalService account unless you're doing something that requires the privileges of LocalSystem.
LocalSystem basically has free reign over the machine, whereas LocalService/NetworkService have roughly the same privileges of a standard user account. As you'd expect, running the service in the context of a specific user would provide the service with that user's privileges.
I think the best one is:
LocalService
An account that acts as a non-privileged user on the local computer, and presents anonymous credentials to any remote server.
LocalSystem
An account, used by the service control manager, that has extensive privileges on the local computer and acts as the computer on the network.
NetworkService
An account that provides extensive local privileges, and presents the computer's credentials to any remote server.
User
An account defined by a specific user on the network. Specifying User for the ServiceProcessInstaller.Account member causes the system to prompt for a valid user name and password when the service is installed, unless you set values for both the Username and Password properties of your ServiceProcessInstaller instance.
from: https://msdn.microsoft.com/en-us/library/system.serviceprocess.serviceaccount(v=vs.110).aspx
I want to use a role based access control for the authorization of one of the applications on a WebSphere application server, but as far as I've seen the users and roles are defined on application server level, and not for a single application. Is it right, or in case it isn't could you please tell me how the define the roles in for my application?
The problem with declaring the roles on server level is that there are multiple independent applications on the server.
1) To do this kind of role based mapping you need to have security enabled in WAS.
2) After you installed your application, open the admin console of WebSphere Application Server. List the installed application, click on your application. You should find a link called "Security role to user/group mapping". The wizard will then guide you to map the role you want to the application.
I've created a wcf web service hosted on IIS 5.1. In the service implementation class there is a method GetAlarm which access the MSMQ on that system. In a sample win form application i instantiate web proxy to call GetAlarm method. But the problem is that when i use GetAlarm method using proxy for local machine then it propmts error like "he queue does not exist or you do not have sufficient permissions to perform the operation.". While i've given all the users full permission in corresponding queue users (properties/security). I can access the rest of methods using web proxy but not msmq.
If i use the GetAlarm method without proxy then it works fine.
please help;
arvind
You say "I've given all the users full permission".
What permissions did you give and to which accounts?
An easy test for security issues is to temporarily give "Everyone" and "Anonymous Logon" Full Control to the queue. If that works then it is a permissions issue.
If you have given the permissions to the account that you think is accessing the queue but still get access denied then you could enable security auditing on the queue to check what account is actually being used.
Also see
https://stackoverflow.com/questions/4758627/how-to-access-message-queue-msmq-via-wcf
Cheers
John Breakwell
I have a number of services that will be running under the security context of NT Authority\System as a Windows service (the services are NetTCP-based). There are six groups stored in Active Directory that will be allowed to access these services:
Users
Agents
Approvers
Administrators (three levels of admins)
I know I can get the user who is connecting to the service using ServiceSecurityContext.Current.WindowsIdentity.Name.
What I need to do is validate in a business layer that the user context being passed in is able to access the particular service though, and I'd like it to follow an older application my company supports that uses PrincipalPermission passing it a role and using the Demand() method to ensure access.
I guess my initial question is, if I pass PrincipalPermission the ServiceSecurityContext username and the associated role (group), will it automatically know to hit Active Directory behind the scenes since the service is running under the context of an AD account on the same domain? Or is there something special I should do?
Right, when you demand a role, it'll call IPrincipal.IsInRole. This will use whatever implementation the principal has. So, if it's set to Windows, it'll do all the work to hit AD.