Windows Credential provider - password expired while desktop locked - c

im working on a credential provider and got stuck with the following issue:
When the desktop is locked on a terminal server and the password expires, the CP cant seem to change the password.
I can dectect that the password must be changed in ReportResult(), then open a dialog asking for the new password and packing a KERB_CHANGEPASSWORD_REQUEST to hand over in GetSerialization(). This works when the user logs on initially (CPUS_LOGON).
But in CPUS_UNLOCK_WORKSTATION (when the user is already logged in) I get the same ntsStatus (which is 0xC0000224) again in ReportResult() after handing over the KERB_CHANGEPASSWORD_REQUEST
So i wonder if anybody knows what the difference is between those two scenarios - is logonUI expecting a package other than KERB_CHANGEPASSWORD_REQUEST ?
I also tried setting the GetSerializationResponse "status" from CPGSR_RETURN_CREDENTIAL_FINISHED to CPGSR_NO_CREDENTIAL_FINISHED (in the technical reference its said to be the indicator that a password change completed, but thats probably for CPUS_CHANGE_PASSWORD).
The setup im testing this is on is a Win2012 R2 terminal server with a Win2016 DC.
I'd be grateful for any help, thanks!

Related

Why can't I re-authenticate (MFA with mssql extension for VS Code)?

Here's an example of a connection configuration that has stopped working (it's for connecting to an Azure managed database):
{
"server": "sqldb.12345abcde.database.windows.net",
"database": "sqldb01",
"authenticationType": "AzureMFA",
"profileName": "sqldb01",
"azureAccountToken": "",
"expiresOn": 1648022420,
"email": "benmcf#work.com",
"accountId": "aaaaaaaa-0000-bbbb-1111-cccccc222222"
}
When I try to connect, VS Code displays a dialog saying mssql: Credential Error: Account credentials have expired. Please re-authenticate. and another saying mssql: undefined:
After clicking the refresh credentials button, the linked page fails to resolve in my browser, showing ERR_CONNECTION_REFUSED:
When I reinstall the plugin, remove my connection definitions from settings.json and attempt to create a new connection, the browser page resolves correctly and allows me to authenticate, but it has no effect in VS Code.
I'm able use the same connection details in Azure Data Studio to connect successfully.
I had the same/similar problem and found 2 possible issues in my case. I went into Windows Credential Manager and Removed the aad-iv and aad-key credentials, as well as all the others that did not say Modified: Today (presumably overkill).
When I then tried again in VSCode, I received an error but was able to proceed by it giving me a chance to enter credentials. In my case, it then failed to connect with an option to automatically add a firewall rule... and then everything worked.
I'm not sure if it wasn't smart enough to figure out how to refresh credentials OR if it was trying to but something with the firewall rule came into the picture and disrupted it.
After this, I noticed Windows Credential Manager had aad-iv and aad-key credentials added back. So... I would try removing just those 2 and see what happens.
I resolved this by deleting the contents of this folder (Mac): ~/Library/Application Support/vscode-mssql/AAD.
I believe the equivalent on Windows would be something like C:\Users\{username}\AppData\Roaming\vscode-mssql\Azure Accounts.
I did the same as benmcf. However, I also deleted the AAD folder:
C:\Users\{user}\AppData\Roaming\vscode-mssql\AAD
After it, I uninstalled the MSSQL extension and installed again. Then it worked.

Notes Federated Login not downloading in memory ID file - Entry not found in index

We have setup Notes federated login to provide a single-signon for Notes clients from Active directory. and there seem to be a problem when getting the "in memory" ID file from the Vault.
Here is the scenario
User start Notes (tried both v9 and V10) for the first time
Enter password in the Login screen for the local id file.
Message prompt "ID file is now downloaded for Notes Federated Login"
User click "OK" and a new message show up "Server Error - Entry not in index"
User click "OK" and then the passsword prompt for the local id file is displayed.
So, in short there seem to be a problem when downloading from the Vault but the error message do not really say much.
We have enabled all the client debug options and checked the server logs but nothing really tells us what is wrong.
All we get is this:
An issue that failed to authenticate was reported from the server / domain server: Entry not in index
Id-file is already in use and can't be changed
I can't diagnose the issue from reading your problem description. I suggest you open a support ticket with the steps to reproduce. ERR_NOT_FOUND (not found in index) is a very common return value in Domino, often even being benign. But in the benign cases it is handled by the calling code.
So it's hard to know what method/function threw the error or what the stack was at the time. Hence the advice to open a support ticket.

500 internal server error in SharePoint

I'm getting a
'500 internal server error'
while trying to access any web application other than the central administrator page.This problem rise up suddenly on a day when I tried opening it.No password change have been made on the server side,also I have verified all the application pool are in the started state only.I have checked by creatinga new webapplication still the same issue occurs.I have also tried by changing the identity of the specific web application from IIS,but it does'nt works.I was not able to set the user name and password for identity over the advanced settings of SecurityTokenServiceApplicationPoolService in the application pool as it is saying 'invalid credentials'.Please help me to solve this issue.SharePoint is installed on SQLServer 2008R2. When I checked the Event viewer I'm getting two warnings and two errors.Two errors saying `
claims Authentication(8306) and warnings as configuration(8059)
`.(I know this Question is asked in the in the SharePoint community but the answers doesn't solve my issue,so that I'm asking it here)

CloudSQL suddenly changes root password

So just recently I started using CloudSQL with an AppEngine instance. I got it working fine. The only thing it did was have one call that stored stuff in a table and one that outputted the content of the table.
All the suddenly when I accesed the page that should output the content of the table it said:
Sorry, unexpected error: (1045, "Access denied for user 'root'#'localhost' (using password: NO)")
I couldn't understand what I did wrong, so what I did was to login, change the password for root#localhost to empty (as it can only be accessed from the GAE anyway) and it started working again, so ofcourse I thought it was my mistake.
The same thing is happening over and over again, makes it impossible to do anything. I set the password for root#localhost to empty, it works, then after a while it stops working.
The AppEngine Instance is in the same project as the CloudSQL DB and I connect to it over a unix socket (using Python, exactly as the example code does). And it works for a while but for some reason stops working after a while.
What am I doing wrong or is it just buggy?
Thanks!
Make sure you run FLUSH PRIVILEGES after you change the password.

Cannot login to Oracle Enterprise Manager Express

I have downloaded Oracle Developer Days Database 12c virtualbox image. I can boot it and access the desktop. When I try to log in to Enterprise Manager (EM) Express using the URL http://127.0.0.1:8888/em I am asked to install Adobe Flash. I install it and get to the login screen.
If I try to login as SYSTEM I get the following error:
But when I try to log in as user SYS I get a strange error: Security token does not match. You must login again..
To me it looks like the credentials for SYS are OK, but there is something wrong with the user in the database. Is this correct and if so how can I fix it? Or is EM Express just not setup on the image?
This document from Oracles Metalink solves it. The solution contains 3 steps:
Make sure that XDB_WALLET is recreated successfully.
Make sure XDB is installed successfully and the appropriate roles, EM_EXPRESS_BASIC/ALL is applied.
Use IE 11.0.9600.16476 with compatibility view.
Mark Stewart's answer covers step 2.
The first two steps are not strictly necessary. It looks like they have already been applied to the image in my case. All I had to do was use a different browser. Opera, Chrome, and IE all worked, but Firefox didn't.
The fact that Oracle installs a browser that doesn't work with EM Express and that Adobe Flash is not installed when it's required is very strange.
Set up a personal user ID, grant DBA to it, and try granting EM_EXPRESS_ALL role to your user ID.
After making sure that a desired account has EM_EXPRESS_ALL granted I just accessed Enterprise Manager using New Private Window in Firefox.
In Microsoft Edge, no problem accessing Oracle 12c EM
In Microsoft IE 11, no problem accessing Oracle 12c EM
In Firefox : Security Token does not match
Found a solution for Firefox on Is there a way to make Firefox ignore invalid ssl-certificates?
Go to Tools > Options > Advanced "Tab"(?) > Encryption Tab
Click the "Validation" button, and uncheck the checkbox for checking validity
Be advised though that this is pretty unsecure as it leaves you wide open to accept any invalid certificate. I'd only do this if using the browser on an Intranet where the validity of the cert isn't a concern to you, or you aren't concerned in general.
I faced this because of the cookie data stored by Adobe Flash. Browsing on Private mode or Incognito did not help. Here are the steps to remove the stored data and start using EM on Chrome:
Go to Settings>Advanced>Content Settings>Cookies
Coose See all cookies and site data
In the cookies search box, key in the hostname used to access EM. I run EM on my localhost and hence filtered by localhost:
You can see Flash data being listed
Click on the item to expand and delete the item related to EM:
The same error still exists in 2019 on EM with Chrome Version 76.0.3809.87. My solution is to add EM URL to the "Allow" section in the Cookies section.
Use internet explorer to login to EM .
The other browser are not compatible with enterprise manager

Resources