In VB.Net, I'm trying to connect to WMI on my local computer with different credentials (the user won't have admin rights) and I get this exception :
« User credentials cannot be used for local connections »
Here's the code :
Dim path As ManagementPath = Nothing
Dim options As ConnectionOptions = Nothing
Dim scope As ManagementScope = Nothing
path = New ManagementPath("\\" & vServerName & "\root\CIMV2")
options = New ConnectionOptions
options.Username = vUsername
options.Password = vPassword
Scope = New ManagementScope(path, options)
Scope.Connect()
I know this question is old, but I tried the above steps and it didn't work. What I found to work was this:
https://web.archive.org/web/20150213044821/http://www.manageengine.com/network-monitoring/help/troubleshoot_opmanager/troubleshoot_wmi.html
80041064 - User credentials cannot be used for local connections
Cause
This error is encountered when you specify the Username and password for monitoring the machine where OpManager is running.
Solution
Do not specify Username and password for the localhost. To resolve the issue, remove the configured user name and password from "Passwords" link in the device snapshot page.
You don't have access to some wmi instances when a user without administrator privileges is currently logged in. (This is only applied to Local WMI connections)
MSDN reference on the topic
It's pretty lame! But if you can run your application as a user which is a member of administrators group, then you're problem should be solved.
Added note:
If you write a windows service with **local system** user, then you'll have full access to all wmi classes.
note: I've tried to grant my limited user the proper permissions to access desired wmi actions, but it seems it doesn't work that way. In this case, you'll have to set the permissions in these 3 places:
Start->Run->dcmoncnfg->Component Services->Computers->My Computer->Properties->COM security tab
Start->Run->dcmoncnfg->Component Services->Computers->My Computer->DCOM Config->Windows Management and Instrumention->Properties->Security tab
Start->Run->wmimgmt.msc->WMI Control(Local)->Properties->Root(just highlight)->Security tab
enter the wmic prompt by typing wmic and then enter. Then type:
/user:""
This will null the user it's trying to run the commands as. You might have to do something similar with password, I dunno.
Related
I am writing a .NET Console application, our goal is keep a message on the queue and read the message. the message header should contain User Name & Password. I try to pass the Message with below code it is not working.
hashTable.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_CLIENT);
hashTable.Add(MQC.HOST_NAME_PROPERTY, strServerName);
hashTable.Add(MQC.CHANNEL_PROPERTY, strChannelName);
hashTable.Add(MQC.PORT_PROPERTY, 1414);
hashTable.Add(MQC.USER_ID_PROPERTY, "XXXXXX");
hashTable.Add(MQC.PASSWORD_PROPERTY, "XXXXXX");
hashTable.Add(MQC.USE_MQCSP_AUTHENTICATION_PROPERTY, true);
queueManager = new MQQueueManager(strQueueManagerName,hashTable);
queue = queueManager.AccessQueue(requestQueue, MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING);
requestMessage = new MQMessage();
requestMessage.WriteString(StrAPICMessage);
requestMessage.Format = MQC.MQFMT_STRING;
requestMessage.MessageType = MQC.MQMT_REQUEST;
requestMessage.Report = MQC.MQRO_COPY_MSG_ID_TO_CORREL_ID;
requestMessage.ReplyToQueueName = responseQueue;
requestMessage.ReplyToQueueManagerName = strQueueManagerName;
queuePutMessageOptions = new MQPutMessageOptions();
queue.Put(requestMessage, queuePutMessageOptions);
In the Message Descriptor it is taking the default value mentioned MQ Server. it is not takeing my UserName "XXXXX"
I have tried using the CSICS Bridge header also unable to send the message with my application Service account + Password.
help me on this scenario.
See "MQCSP authentication mode" here: https://www.ibm.com/docs/en/ibm-mq/latest?topic=authentication-connection-java-client
It says:
In this mode, the client-side user ID is sent as well as the user ID and password to be authenticated, so you are able to use ADOPTCTX(NO). The user ID and password are available to a server-connection security exit in the MQCSP structure that is provided in the MQCXP structure.
"client-side user ID" means the UserId that the application is running under. Therefore, if you are authenticating with a different UserId than the one that the application is running under.
Therefore, you (or your MQAdmin) will need to change ADOPTCTX to YES.
Your program works fine for me, when I fill in the correct values for my qmgr connection.
Except for one change I made: instead of TRANSPORT_MQSERIES_CLIENT I used TRANSPORT_MQSERIES_MANAGED. That keeps everything in the managed .Net space.
Without that change, I was actually getting MQRC_UNSUPPORTED_FUNCTION during the connection which typically means either some kind of mismatch between versions of interfaces, or it couldn't find the C dll that underpins the unmanaged environment. And I wasn't going to take time to dig into that further.
Running amqsbcg against the output queue, I see
UserIdentifier : 'mqguest '
which is the id I had set in the USER_ID_PROPERTY.
I setup an ApacheDS with default password-policy enabled. For testing proposes I locked a simple User (objectClass=Person extended with some custom User-objectClass) by entering the wrong credentials a number of times. As I expected the user was locked (error msg: user was permanently locked).
The question now is: How to unlock the user again? Is there a better way then just deleting and adding again?
I tried the same with an extended user (objectClass=pwdPolicy) but no pwd* attributes were added when the user was locked.
More recently, I encountered the same problem at work. But, it seems that there is no answer on Internet. Finally,I found the answer by viewing this document:
Password Policy for LDAP Directories draft-behera-ldap-password-policy
At section 5.3.3: pwdAccountLockedTime
This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock
the account.
At section 5.2.12: pwdLockoutDuration
This attribute holds the number of seconds that the password cannot
be used to authenticate due to too many failed bind attempts. If
this attribute is not present, or if the value is 0 the password
cannot be used to authenticate until reset by a password
administrator.
Through above two section, we can assume that we should connect to ApacheDS server with administrator(by default: uid=admin,ou=system, password=secret ), and delete the user's userPassword attribute. By this way,the permanently locked user can be unlock.
I practiced this sulotion and it works well.
I suggest you should set value for pwdLockoutDuration attribute, in this case the user can not been permanently locked.
For more infomation:
ApacheDS password Policy
Use ApacheDS Studio and log in as admin, find the user, right-click and choose "Fetch->Fetch operational attributes". Now pwdAccountLockedTime is visible and you can delete it to unlocks the user
The answer by Mister's is perfect to unlock an account and if you want to set the pwdLockoutDuration for a single user (assuming the user has implemnted the objectClass pwdPolicy.
There is also a global config file found in:
ou=config
* ads-directoryServiceId=<default>
* ou=interceptors
* ads-interceptorId=authenticationInterceptor
* ou=passwordPolicies
Here we can set the default password policy:
As mine is just a test-server, I have completely disabled lockout via setting the ads-pwdlockout to FALSE. For more on configuring password policy read the official docs.
For reference, this is how you enable this on the server via java:
AuthenticationInterceptor authenticationInterceptor = new AuthenticationInterceptor();
PasswordPolicyConfiguration config = new PasswordPolicyConfiguration();
config.setPwdLockout(true);
authenticationInterceptor.setPwdPolicies(config);
Client methods can then be written, to enable/disable specific accounts, similar to:
public void disableUser(String dn) throws LdapException, UnsupportedEncodingException
{
Modification disablePassword = new DefaultModification(
ModificationOperation.REPLACE_ATTRIBUTE, "pwdAccountLockedTime","000001010000Z" );
connection.modify(dn,disablePassword);
}
public void enableUser(String dn) throws LdapException, UnsupportedEncodingException
{
Modification disablePassword = new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, "pwdAccountLockedTime");
connection.modify(dn,disablePassword);
}
I am not looking for a solution that involves the user, a token generated, and emailing in order to reset a user's password.
The scenario is a user contacts the admins and asks them to reset their password (internal organization web app). They are then told what that new temporary password is so they can log in and change it.
I see no function that lets me do the above. My attempt:
string passwordToken = await UM.GeneratePasswordResetTokenAsync(user.Id);
IdentityResult res = await UM.ResetPasswordAsync(user.Id, passwordToken, "newPassword##!$%");
UM is UserManager.
I get error "No IUserTokenProvider is registered". I think GeneratePasswordResetToken is the one causing the error. If so, why?
How do I properly do what I need?
Use the combination of RemovePasswordAsync and AddPasswordAsync
UserManager.RemovePasswordAsync(user.Id);
UserManager.AddPasswordAsync(user.Id, tempPassword);
I am trying to find a solution which will allow me to change a user's password from our Central User Administration (CUA) system where the user's access and password is on the child system.
I tried to use BAPI_USER_CHANGE with destination call but it doest suit in my case.
(we locked change password function in child systems). This is my code with destination call
CALL FUNCTION 'BAPI_USER_CHANGE'
DESTINATION 'CLNT_500'
EXPORTING
username = p_bname
password = wa_password
passwordx = wa_passwordx
TABLES
return = it_return.
Any suggestions welcome.
We tried to do something similar a while ago, and we ended up doing it in two steps:
BAPI_USER_CHANGE sets an initial password for the user
SUSR_USER_CHANGE_PASSWORD_RFC sets a productive password. It needs the old password as a parameter, that's why we needed to call BAPI_USER_CHANGE first.
I am developing a website which will authenticate the user and change the old password with new password.
I am using WinNT string connection and setting password, without the old password check, works.
My code is as below:
'actual setting password
Dim entryD As New DirectoryEntry("WinNT://" + Environment.MachineName + ",computer")
Dim NewUser As DirectoryEntry = entryD.Children.Find(username, "user")
Dim nativeobject As Object = NewUser.NativeObject
NewUser.Invoke("SetPassword", New Object() {strPassNew})
NewUser.CommitChanges()
'setting password ends
This works fine, but authentication code is not working.
It is as below:
'authentication starts
Dim adsiPath As String
adsiPath = String.Format("WinNT://{0}/{1},user", domain, username)
Dim userEntry = New DirectoryEntry(adsiPath, username, password, AuthenticationTypes.Secure)
'Dim nativeobject1 As Object = userEntry.NativeObject
Dim newobj As ActiveDs.IADsUser = userEntry.NativeObject
authent = True
'authentication ends
This authenticates but the exception which it throws is:
logon failure: unknown username or bad password
for the first time, but if i do it again the error is:
"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
"
Which I don't want to happen... I don't want to use LDAP, I want a solution please, to authenticate the old password. Please help?
I had this error in my code where requirement was to add domain users to local admin group of a system. While testing the code after the first try I used to get "Multiple connections to a server ..." error and then I if try the code code later(an hour or so) it worked fine. After searching thru various forms I came know the we can see user logged-on to a computer using
NET SESSION /LIST
command in cmd of remote system and it appears that when we use WinNT provider it actually creates an user session with idle timeout on remote computer (there can be a situation where other programs are creating sessions) which conflicts the connection when you try for second time. So I tried deleting the previous session by
NET SESSION \\RequestingComputerName /DELETE
then I did n't got the error. If that doesn't solve the problem then the last resort is to restart the system.