So I have my little Sharepoint single server farm all setup and everything was running pretty smoothly until I noticed this happening last week:
Every time someone logs in, they get logged in as "System Account" instead of "Domain\User"
I've done some extensive searching on here and Google, but the only solution that I came up with was that it was an App Pool Identity problem
Any suggestions?
**
EDIT:
**
I just wanted to say for the sake of anyone Googling this that here is how I fixed it:
In the Administration Page, navigate your way to Farm Credentials.
From there look at your Farm Account in the drop down menu, and make sure that user is set to a profile with enough privileges. Mine was set to NT\AUTHORITY or SYSTEM\NETWORK (I can't remember which; I've since stopped working with Sharepoint) and I changed it to DOMAIN\USER.
After restarting Sharepoint and IIS everything worked and all the users were logging it with DOMAIN\USER instead of "System Account"
Sounds like you are on the right track. I would first check application pool security account. Is it possible that you selected a domain group that contains all of your users?
Also, after actions that Rich Bennema provide, maybe need to perform issreset to applay changes.
Related
I am trying to implement a hardware busy light to show my Microsoft Teams presence so that my family to not enter the room I have the office while I am in a meeting. I am looking to implement something similar to:
https://www.eliostruyf.com/diy-building-busy-light-show-microsoft-teams-presence
https://blog.jongallant.com/2014/12/beakn-v0-1-diy-lync-status-light/ (older acticle - similar idea).
The only problem I have with this setup is that I cannot get the MS Teams status.
The best way to go is by using MS Graph Presence API but my problem is that this is a company account and I don't have (and there is no way I could have) and app in the main subscription granted with the required scope: Presence.Read.
So I tried different ideas but none worked in the end:
check local running processes
check if MS Teams exposes any local API
check if there is a CLI available
This seems a simple idea, I mean, I see the status right there now while I am typing this message, I could as well do an app that gets a screenshot of the taskbar and extract the status from the icon, but is that really the only option I have?
I think I found something interesting for you.
Go to
C:\Users\user\AppData\Roaming\Microsoft\Teams
you'll find a file called logs.txt
In this file you see if your current state changed
(current state: Available -> DoNotDisturb)
I would write a script with php or VB (depends on your skills) that read that logs.txt file like every minute and check for the last "current state" line.
What those posts are doing (certainly the first one, I didn't check the 2nd one) is calling the Microsoft Graph, which has a "presence" endpoint to get a user's status. There's actually even a specific "/me" endpoint, to get your own personal preference (less access rights needed). See more about this here: https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-1.0&tabs=http
In order for this to work, as you've mentioned, you do need to have an Azure AD App registration. However, importantly, this will only require "delegated" permission (i.e. only permission from the single user, you, to access just data for that single user, you). As a result, you can use "delegated" and not "Application" permissions, which means that it does -not- require Admin consent for the tenant.
It -does- require and Azure Add Application though, at the risk of stating the obvious. While you don't have tenant admin rights, you need to see if you have Azure rights, just to create an application (you might have this anyway as a developer in your org). If you don't even have this, you can sign up for an M365 Developer account, and use that tenant. Importantly - the application does't have to be in the same tenant. If it's not, it's just a simple multi-tenant app, like any 3rd party Azure AD-backed application is.
I authorized the group of a user to the cockpit-application. I gave the group full access to the Process Definition and Process Instance authorizations. (so pretty much as described in the documentation)
When I try to log the user in, I see the Welcome screen and in the application overview the option to navigate to the cockpit-application.
However, when I click this, I get the Login screen again.
For a fraction of a second I see the cockpit application, but then it immidiatly redirects to the login page. When I try to log in again, it keeps redirecting me to this login screen.
I configured another group to use the Tasklist application and that is working as expected.
I tried to give the authorization on user-level instead of group-level but the same problems occurs.
(n.b.: I am using the Spring-Camunda-Starter for this application.)
I found the problem, I accidentally removed one of the authorizations the system automatically creates when the user is created. I think I might have removed this, as I thought it was not necessary.
It is in the User Authorizations, every user has an authorization from it's own user to that user. When I added this, it fixed the problem.
I found the solution when another user logged in and had no problems. And the found this to be the only difference between the two accounts.
Hopefully this will help someone in the future!
I wrote an app script which provides a web UI for data entry into a team calendar. I published it using G-Suite super admin account and added it as Trusted App under Security/API Permissions. "Trust domain owned apps" is checked under "Internal App Settings".
When a G-Suite user in our organization tries to access the app, he sees
"The developer of ShiftSchedulingApp, admin#_our_organization_.org, needs your permission to access your data on Google."
Those brave enough to click "Review Permissions" are taken to the next message:
"ShiftSchedulingApp wants to access your Google Account. See, edit, share, and permanently delete all the calendars you can access using Google Calendar"
Of course nobody wants to risk losing all the calendars on their Google Account and this is where it ends.
How do I get rid of this misleading message? It's not Google account, it's their organization account on G-Suite. It's not all their calendars, it's the shared team calendar only. It's adding data, not permanently deleting calendars. It's published by their administrator in their G-Suite, not an unknown 3rd party.
I spent days trying to make this message go away but no luck. App must be executed as an accessing user and not as publishing user because their user ID determines what shifts they can fill on a calendar.
I'd appreciate any hints pointing me the right direction.
I experimented with variations of the two-app approach as suggested.
The app which provides the UI needs to read the calendar to display available shifts - so I can't get away from the user authorization prompt.
Another variation I tried was having one app do everything and run as me, and another do nothing but return Session.getActiveUser(). I tried calling the 2nd one from the 1st one on the client side via XMLHttpRequest. It would be ideal for my needs - but I hit CORS error as apps URL is script.google.com but it actually gets redirected to script.googleusercontent.com. There doesn't seem to be a way to set CORS in Google App Script.
Although I was not able to find a way to avoid prompting users for authorization when executing the app as accessing user, it turns out my reasons for doing that were based on a false premise.
I chose to publish app as accessing user because I thought that's the only way to get accessing user Id - which is true for non-G Suite accounts.
However, when app is published by a G Suite account, the app can get accessing user ids within the same G Suite domain even when it's set to execute as publishing user.
Thanks Niek and TheMaster for your help!
If you just need user ID, why do you ask for all those permissions?
Possible Solutions:
2 web-apps- One running as you and another as user accessing (with only profile) permission. The second one will be the actual web interface and POST necessary information to the first one with privileges. OR
Implement your own web-app Google-sign in1
Use the least permissive2 scope3
I'm horrible at security so I was curious if you guys had any ideas. I recently wrote an application in Python that I will be selling to select people. The information on the application is private (not incredibly so, I just need a minimal solution). How could I have a user login to the application (from a MySQL database), then have the program check is someone is logged in already under those credentials. Here is a basic flow:
User opens the EXE (cx_freezed python file)
Program asks user for their login (from a MySQL database)
Program checks if someone is already logged in using that info
If someone is logged in, don't let them log in. If someone isn't, log them in.
I have absolutely no idea where to start with this, any suggestions/directions to point me?
Don't be a Dave and roll your own security system. Use an existing one if you can
This shouldn't have anything to do with your database. If you happen to persist session info to the db, that's fine, but your session-management should be in-memory
Basically you should have a list of authenticated users in memory somewhere in application state. if authenticatedSessions.get($username) != null then deny
Concurrent Session Control is a PITA for users. Example: You login just before leaving work, then get in your car, try to login from your mobile, and now you can't. Consider allowing 2 concurrent sessions, or keep the timeout short
Spring Security (Java) has this feature. It's open source so you could "gain inspiration" it: http://docs.spring.io/autorepo/docs/spring-security/current/reference/htmlsingle/#ns-concurrent-sessions
I'm always told I write "biblical length" emails, but hey, I'm trying to characterize the situation the best I can for ya.
I created my sandbox. The Business account was auto created. I created a Personal account.
I successfully paid to the Business account with the Personal account with my Buy-now setup and my IPN works correctly (after changing the fsockopen to use SSL, changing \n to \r\n, etc). No problems with the "front side" of all the account business.
Part of the "Backend" needs are to transfer some of the Business account money to another account after 3 days (my Business account is a middle-man).
I switched from Firefox to Chrome. I had done all the account setups in FF, so I didn't want to try to have two logins running under one browser, sandbox or not.
I tried to login as the Business account and it failed and ended up in the "make sure your email and password are correct" loop.
I tried to login with the Personal account (the one which successfully paid into the Business account via the application). Same error.
I tried changing the password on the original Business account, flushed cache/cookies, still cannot login. There should not be any password errors because the accounts have the same password!!! I cannot use the "forgot my password" logic to see what it thinks my password is, because the email is fake and it won't get sent anywhere.
I created a second Business account, and I tried to login and it logged in correctly and showed my balance correctly. I logged out and tried the other two accounts, but the only one that ever logs in is the second Business account.
I could solve the issue by changing the target of my front side Business transfers to the second Business account, because I know I can log into that one, but that would be condoning the fact that the system is flawed, and I'd rather push this issue to find out what is wrong.
I switched to IE (argh!)
I tried the original Business account. Failed.
I tried the Personal account. WORKED!!!!
I tried the second Business account. WORKED !!!! and I didn't have to flush cache or cookies. It still won't allow the original Business account, even with IE.
I don't have time to wait 2 hours (in case it's the "too many times" problem). There was nothing wrong with the account/passwords in the first place, and since I'd never tried logging in with any of the accounts directly before, there was no history of failed transactions.
I switched to Safari.
Once again, original Business account fails, but the other two accounts work correctly!!!!
I switched back to Chrome.
Again, original Business account fails, but the other two accounts work correctly!!!!
So, it appears once I have successfully used an account, it will work regardless of the browser, cookies or cache. IE, Chrome and Safari all work with two accounts but none of them work with the original Business account.
Finally, I tried changing the password again for the original Business account. Still doesn't work.
My suggestion is to add a button to the "test accounts" setup page, "LOGIN AS" and just let us automatically login as that user (after first successfully logging into the sandbox with our validated paypal account) and bypass the whole password thing, if you aren't going to get it to work.
2 things.
1) Apparently I should have used "Paypal" in the initial title, I had assumed the tool was already in a Paypal specific sub-forum (wrong) and I have added the word to the title. Sorry for the confusion.
2) To answer my own question ...
I tried to login to the orig. Business account first thing this morning and it worked. I tried to do a transfer and it wanted login validation and failed again and again. If your results do not prove out your premise, then there is probably something wrong with your original premise in the first place, right? So I went back to my original course of action, which was to switch from Firefox to Chrome when I went to login (because I didn't think someone would have you logging in as two different users within the same window). WRONG AGAIN. I logged in as Developer, but instead of going to a different window or browser, I logged in a second time by using the "Enter Sandbox" link, and was able to succesfully login with each of the accounts.
You have to be logged in as a developer in the top portion of the sandbox interface window, while you login as one of the Business or Personal accounts in the lower half of the test window or else it doesn't work. If that is the case, and I am now doing it as it was designed, then that would explain why it was failing when trying to login when using Chrome/Safari/IE, since I wasn't logged in as the Developer account in those browsers. Why it did occasionally PASS is crazy. Software should be consistent, if anything.