We are resetting the password of Active directory service account used in server for
Identity in Application Pool
Certificate Access Permission
Folder share access permissions
Windows Scheduler job permission
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog (Permissions)
Should we modify the all the places after password reset?
No need to reset password for application pool.You can directly entered into application pool but for accessing the sites presents in application pool using identity.You will need new password that you have reset(Indirectly we can say for application pool it auto update the password there is no need of separately change password of application pool).
Windows Domain accounts are used as identities to run IIS App Pools.
Whenever the password of a domain account is changed in the domain
controller, the new password has to be updated individually in all
associated App Pools for web applications to run without any
hindrance. With each domain account running numerous App Pools,
changing all the passwords manally becomes tedious.
Same for Certificate Access Permission, Folder share access permissions, HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog (Permissions) we don't require change passoword.
It is different for Windows Scheduler job permission we need to change password because in backend Window Scheduler Job is working with old password but all the schedule job will be failed.You need to update the password manually here.
For more information you can refer this Document
We have an application which parses the Audit Logs emitted by Azure AD. More specifically we are parsing the 'Update application' log to detect when a new Role has been added to an Application (see example below).
We would like to find out more information about the "DirectAccessGrantTypes" and "ImpersonationAccessGrantTypes" fields. If someone can point us to documentation for this that would be great.
[{"EntitlementEncodingVersion":2,"EntitlementId":"654a4f1f-1b7f-4354-a6d6-fcf7346af0ec","IsDisabled":true,"Origin":0,"Name":"Data Manager","Description":"Manager for test app","Definition":null,"ClaimValue":"DataManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"3d03256d-cf0c-4553-b8af-98d7ebbee1f2","IsDisabled":false,"Origin":0,"Name":"Application Manager","Description":"Admin for test app","Definition":null,"ClaimValue":"ApplicationManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"88d0d3e3-b661-4760-aea3-f4548db1ff96","IsDisabled":false,"Origin":0,"Name":"Read","Description":"Allow users to add a admin consent","Definition":null,"ClaimValue":"Read","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[],"ImpersonationAccessGrantTypes":[{"Impersonator":29,"Impersonated":20}],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]}]
From article > View reports & logs in entitlement management - Azure AD | Microsoft Docs
When Azure AD receives a new request, it writes an audit record, in
which the Category is EntitlementManagement and the Activity is
typically User requests access package assignment. In the case of a
direct assignment created in the Azure portal, the Activity field of
the audit record is Administrator directly assigns user to access package, and the user performing the assignment is identified by the
ActorUserPrincipalName.
Application Impersonation is basically an administrator-managed, not user-managed permission.
Impersonate access grants logs gives information ex:count., of users given consent by the admin to access the application to impersonate user.
ImpersonationAccessGrantTypes gives count or info of access grants by admin on behalf of user whereas DirectAccessGrantTypes gives info about the users who directly access the application ,as they are already assigned by admin.
Reference:
Multiple Client applications authorisation to WebApi (microsoft.com)
I've connected my WSO2 api manager with external ldap i.e. Microsoft Active Directory.
I have a following user in my Active directory :
Username : WSO2 Admin
User logon Name : WSO2.Admin#india.test.com
NT logon Name : INDIA\WSO2.Admin
When I'm setting the Admin role for my user's Username in user-mgt.xml file. I'm able to login into the the WSO2 admin console with Username i.e. WSO2 Admin only and I'm also able to see all the users from active directory but If I'm trying to login into management console with the actual logon name i.e. india\WSO2.Admin or WSO2.Admin#india.test.com It's showing me login failed error.
<AdminUser>
<UserName>WSO2 Admin</UserName>
<Password>xxxxx</Password>
</AdminUser>
Can somebody please help me solving this?
In WSO2 carbon (base for all wso2 products, not just apim) realms and domains are having different meaning.
e. g. the domain #india.test.com in the carbon logon form denotes the tenant (the default tenant is carbon.super. You may try to log in with WSO2.Admin#carbon.super in theory it should work. (I did not try it myself)
as well the realm (in form of realm\username) hints the carbon to use a secondary userstore with specified realm parameter (I may be wrong in this format, if someone knows for sure, feel welcome to correct me)
I believe full domain should work with a Kerberos authenticator (used for applications, not for the Carbon management console), but this authenticator has been reworked and improved in current versions, so I don't know current state)
When I create a new user in DNN, The newly created users are not notified by email from the system after they have been created. There is no difference between "tick" in "Notify" or not set (see the image below)
How I can setup the system in order to get user got notified by email after they have been created (in this case to email aldho_ah#yahoo.com)
Many Thanks
You'll need an SMTP server to send email. Go to Host > Host Settings > Advanced Settings > SMTP Server Settings, and you can see what information the portal needs:
The portal will send emails from the email address of the site's administrator, which is defined at Admin > Site Settings > Advanced Settings > Security Settings. This means that the SMTP server needs to have permission to send from that email address.
I have added details of my native application in azure active directory and added permission to "sign and read user profile" for Windows Azure Active Directory application and permission to "Read and Write user files" for Office 365 Sharepoint online application.After adding these permissions, I am able authenticate the user and retrieve access token for the user's one drive business account.But when I call webservice to retrieve default drive details, it gives me "401 unauthorized error".And when I try to call webservice to retrieve children of default drive then I get "403 Forbidden" error.So, I added another permission to "Read managed metadata" for the Office 365 Sharepoint online application in azure.But then I get following error while trying to login the user using oAuth.
Is it due to lack of priveleges to the user's onedrive business account or some problem in permission that I set in azure active directory?