RavenDB: Windows user credentials not sufficient for write access - authentication

I'm trying to use the RavenDB server web/silverlight UI to create databases and test data, and am being asked for a username/password. This is fine, and the documentation on http://blogs.hibernatingrhinos.com/5/ravendb-in-practice-part-1-an-introduction-to-ravendb says that I should use my Windows credentials:
Be default RavenDB allow anonymous access only for read requests (HTTP GET), and since we creating data, we need to specify a username and password. You can control this by changing the AnonymousAccess setting in the server configuration file.
Enter your username and password of your Windows account and a sample data will be generated for you.
However the dialog reappears instantly. A few tries later and it fails with an authorisation error.
I'm using the Raven Silverlight client through Google Chrome Windows XP Home SP3, and haven't changed RavenDB's settings (I want it to work with authentication, rather than dodging the issue).

1) Make sure you give user permissions to read/write in the directory where raven is installed.
2) Make sure that you have set in web.config
3) Check this thread RavenDB Network Access

Related

Domino and Xpage, ask to login to access a database, but not authorized

I opened a demo xsp page and a window popped up asking me to input the name and password to login to the domino server. Then I entered my own id and password created in domino, but it didn't work. Only the Administrator name and its password worked. Anybody knows what's the problem? I already edited the corresponding ACL entries.
Thanks!
In order to use a database in a browser (no matter if classic notes web development or Xpages) one needs to meet several requirements.
First of all you need access to all NSF files that are used in the process.
As mentioned by Richard you either need to be mentioned in the ACL (namely or by group membership, or by setting -Default- and/or Anonymous to a level greater than No access).
AND the ACL has to allow Web- Access by not setting the Maximum Internet Name and Password to No Access
But this is not enough.
To be able to do authentication you do not have an ID- file in the browser.
You need a username and password. This password is NOT the password of your ID- file unless the admins choose to synchronize them using a policy.
It is the password stored in your person document in the names.nsf on the server.
But still these points are not enough yet: If you have access to the server with your username and internet password (can be tested by just trying to login to http://yourServer/names.nsf?open&login), then you might still not be able to access the application if -as umeli pointed out in the comment- the signer of the Xpage- application does not have enough rights to sign the XPages (Server document - security).
You see: There is a lot stuff to check. But if all of these points are OK, then access to the database will not be a problem anymore.
I omitted one reason for not beeing able to login because of your error description: If the Session Authentication on your server is configured for Multiple Servers (SSO) then you need to use the fully qualified internet host name of the server in the URL (or at least a hostname, that contains the SSO- domain), otherwise you will be redirected to the loginpage over and over again, even after supplying the right username / password. But as you wrote about a "Window popping up" I am quite sure, that Session authentication on that server is set to "Disabled"
You could be being rejected because of the
ACL of the NSF file not having the level of access required for operations performed in the code on the Xpage. I know you said you edited the ACL, but bear in mind that access also depends on the 'Maximum Internet Name and Password' setting for the NSF.
ACL in other NSF files that are accessed in the code of the Xpage not having the level of access required for operations performed on it by the code. This also includes the 'Maximum Internet Name and Password' setting.

Ajax File Explorer: Avoid login popup (SSO)

We want to integrate "AFE (Ajax File Explorer) into our Drupal application. Our users are authenticated in Drupal and it is not possible for us to ask a second time there login/pwd while opening AFE.
We received a first answer from ITHIT:
Here is how to set login and password:
ajaxFileBrowser.GetSession().SetCredentials('User1', 'pwd');
Please note that this API sets password in XHR. Setting login and
password in XHR does not provide any feedback on weather the login was
successful. That is why in general I would suggest to rely on web
browser login dialog which is displayed automatically instead of
calling SetCredentials.
However it is not clear if it is a real and robust SSO solution. We discovered that Drupal has an webdav SSO module (https://github.com/Awnage/webdavsso), we will also investigate that part. But any comment/help welcomed.
To my understanding there is no way to totally get rid of login dialog when using Basic, Digest, NTLM or Kerberos authentication with Microsoft Office.
Microsoft Office applications always ask for the authentication when used with Basic or Digest authentication. This is a Microsoft Office and Microsoft Mini-redirector limitation and there are no workaround in case your server is using Basic or Digest.
However, if you check "Remember my password" check-box it will still display the login dialog, but the user name and password will be already filled-in, so you just click "OK".
Here are some options to consider if you need to totally suppress login dialog with Microsoft Office:
Use NTLM or Kerberos authentication. In case of NTLM or Kerberos MS
Office asks for credentials only 1 time during first document access.
Implement Office Forms Based Authentication Protocol (MS-OFBA).
Implement Url-authentiation. Your urls will look like:
http://webdavserver.com/[SessionID1234567890]/path/file.docx.
In case of Url-authentiation make sure you do not include the session ID in query string, Microsoft Office will truncate it. You will have to put session ID somewhere in the path, as in the above example, which is not very convenient, when you need to mount a WebDAV folder in you file system, but still works in most cases.
Possible duplicate here Stackoverflow
I solved that problem in the same manner.

IIS 7 Windows authentication with default app pool setup problems

I have IIS 7.5 site:
Authentication = Windows Aythentication enabled
Application Pool = DefaultAppPool
DefaultAppPool Identity = ApplicationPoolIdentity
Load User Profile = True
On the filesystem,
DefaultAppPool has Read and Execute privileges to the entire site.
Also added a security group with Read and Execute privileges to the entire site.
With these settings, only users in the security group are able to access the site. All others get a AD login window, which has no affect. I'm not understanding this behaviour.
From research, it looks like I don't need to add the DefaultAppPool to the filesystem, if users are only executing, but still doesn't explain why they get the login challenge.
I'm also unclear if i need to set the AuthenticatedUserOverride (in Config Editor) from UseAuthenticatedUser to UseWorkerProcessUser if i want to use the filesystem security of DefaultAppPool. When i set this, i get an access error, not even the login challenge.
Note: site is not in the Default Web Site, but on a specific port number.
I'm unclear why i seem to need users listed in an ACL rather than using the generic DefaultAppPool.
Windows authentication determines how you determine who is who. Impersonation means which user account the security context runs under. Because you are loading the user profile, the context is taking on the AD user's security. Your DefaultAppPool identity is now out of the picture which is why you need ACL's on your files / folder.
Users will continue to receive the login prompt who are not cleared at the ACL level because IIS doesn't know what to do until an account that can access the files is provided. Watch in fiddler and you'll continue to see challenge messages from the server.

Start process as <interactive> to use NTLM token

I want to build a small application similar to Run As (Windows native) and DropMyRights.
A simple form with a text box which will hold the path to the program that i want to run, and a dropdown to select the account to impersonate (<system>, <interactive>, or "user NameLastname") when starting the child process.
Just in case this is not enough reason to point me to the right direction, here goes the answer to "why would you want to do that?"
I noticed that some of my applications, like Google Calendar Sync, Google Drive Sync and Chrome autoupdater (not chrome.exe), when run as <system> can't pass through the proxy (ISA/TMG).
I do not have access to the server config settings, so i have to do this client-side.
The goal is to have the child process running as <interactive>, and use the NTLM token.
How can i pass CredentialCache.DefaultCredentials or CredentialCache.DefaultNetworkCredentials to the process?
I can't pass username/password/domain because we authenticate on the domain using smartcard logon.
That means i don't even know my Active Directory password.
Answering questions:
It isn't clear what you mean by <system> and <interactive>. Please be
more specific. Do you mean you want to launch processes in your logon
session but have them run as SYSTEM? – Harry Johnston
By interactive i mean the logged on user credentials. Could be local, but in my case i need the domain credentials.
To be even more specific, i want to use the token already generated by the proxy.
I do not want to launch processes as system.
I want system processes to connect to the internet using my (already provided and approved by ISA/TMG) credentials.
More info about this here: What is Interactive Logon?
Hmmm. The Chrome updater isn't a normal application, it's a system
service. Are you trying to run system services in the logged on user's
context? – Harry Johnston
That's right. Exactly what i want to do.
But, Google Updater does not appear on the services list.
It's a scheduled task.
And changing the task to be executed with my credentials doesn't work. Still can not bypass the proxy.

Integrated Authentication on Webserver - Security?

We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.