Grabbing passwords on a Win 2003 domain - active-directory

I've recently been given the task at a school which runs a local domain to grab a copy of all the passwords when we reset them this week (students and staff).
The reasoning for this is because we wish to have them in sync with our local proxy server passwords and 3rd party user based applications.
I've had a look into passwdhk but haven't been able to get it running cleanly on our machines. We have 1x Windows Server 2008 RC2 machine and 1x Windows Server 2003 machine - we're running a 2003 domain because of this.
I'm wondering if anyone can help. I'm looking at something similar to passwdhk - some sort of custom password filter. However I'm not a higher level programmer and wouldn't be able to write this in C or C++. Can anyone point me in the direction of one I could easily modify or point out another solution?
The other option I was thinking of was to force all users to log into an intranet page with an ASP.NET backend that presented them with a form and sent it via a WSO or something - that way I'd have a plain text copy.
Your thoughts and input would be highly, highly appreciated!
Thanks!

You would need a custom password filter, or a password sync product. Forefront Identity Manager is one which can do this but you're not going to get this (or likely any solution) setup in a week.
A web based self service interface is pretty common, but, you won't be able to use the native Windows functionality to communicate password expiry.

Related

What are the benefits of running Kerberos with an authorization-backing server like LDAP/Active Directory/SPNEGO?

I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.
What am I missing here...? Please advise! Many thanks in advance!
Their is no overhead for another server. Active Directory combines all necessary services in one product.
Kerberos has tremendous benenfits:
One login for all systems
Transparent subsequent login
Ciphered ticket exchange, even full transport encryption is possible
Delegation of credential is supported out of the box
Implemented and well documented in Unix and Windows for almost two decades
I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.

Secure ClickOnce files so that only my users can access it?

I am trying to deploy my WPF application to some users who are outside of our corporate network. Everything works great on our LAN but I can't get the updates working when I turn on security as the user is never prompted for their login details?
Does anyone know of a way to secure my ClickOnce files so that only my users can access it? I am not allowed to put this software up without it being secure.
Any help much appreciated.
There is no way to secure your files as the ClickOnce runtime will blindly return to it's deployment point and never keep hold of the users original credentials. I have heard of ways of getting round this using various techniques but its a fair bit of work.
This might be of use www.clickoncerevolution.com.
You could also always consider an MSI installer but you won't get the automatic updates.
Marty
Internally, you can restrict access to the files on the webserver. Externally, there's not much you can do easily.
We handle this by having our customers log in when they run the application, and we verify their credentials against backend services (running on Azure). So they can't run it unless they can log in.
If you don't want to do that, I'll share this article with you. It shows how to serve up your ClickOnce files from a SQL Server database by intercepting the requests to the webserver and responding. If you were smarter with web applications than I am (not a high bar, mind you), maybe you could figure out how to intercept and ask for authentication credentials at that point.
And here's an article from CodeProject where they show one solution for what you're trying to do.

Deploy Silverlight With Local IIS - Advisable?

I'm in the process of reengineering a desktop application to a Silverlight4-WCF client-server architecture. Apparently, some (not all) of our clients have very limited resources or dysfunctional relationships with their I/T support staff. Consequently, I've been asked to come up with a solution that would enable these clients to install the new SL app on a local desktop, possibly running IIS locally. Will probably wrap all this up in a installer to make deployment super easy.
While I don't endorse the idea of running IIS locally on each user's desktop, my thinking is that it will probably work. The biggest problem I envision is security -- the server code and configuration would be available locally. Still, I'm looking for input from the wider developer community because I'm uncomfortable by the proposal. What kind of hell and difficulties do you envision, or can this work with minimal fuss?
Using IIS locally may be more trouble than it's worth. Most configuration/maintenance tasks require the user to have Administrator access on the computer. Securing it is a bitch. Making sure its configuration doesn't drift and remains working as you release new versions is even more so. Moreover, it's not included in all Windows editions, e.g. Windows 7 Home edition. I recommend trying to roll with IIS Express as an embedded HTTP server instead.
As for code security - if you can't trust your clients' IT to look after deployment and security, or they can't/don't want to, you could host the server-side yourself and bill your customers for it, i.e. SaaS.
Just my 2 cents.
EDIT:
Oh, yeah. If you're concerned about trade secret theft, e.g. reverse engineering of your server code, just run it through an obfuscator, e.g. SmartAssembly. That'll give you an edge. As for IP theft, e.g. piracy, use could use some online license checking scheme - it won't compromise client privacy, and it'll deter copying.

Query SQL Server Database from native iOS Application

I am working on an in-house, iOS app that will need read-only access to a SQL Server with multiple databases. I know the stock answer here is "write some web services", but I'd like a solution that is self-contained. Is there any way to directly connect to a SQL Server database from an iOS application? I'm thinking something like a basic ODBC connection.
I've seen a lot of users asking this question, but very few answers other than "write a web service." Is that really the only way?
A web service is indeed the only way, but Red Gate's written one you can reuse:
http://www.mobilefoo.com/iSqlServerSDK.html
http://labs.red-gate.com/Tools/Details/iSqlSDK
It's not officially released yet, just in beta, so keep in mind that features & prices may change.
Actually the easiest way is to create a MVC 3 or 4 asp.net web application. call the web methods. You don't need any API to pay for.
I use SBJson to serialize domain object and then send the objects as serialized jSOn to MVC 3. It's super easy to do. I even send images with base64, so it's .net compatible.
See my blog post with sample code:
http://nickturner.wordpress.com/2012/10/09/107/
So, after much searching and trial and error, unfortunately the best (only?) way I've found is indeed using Web Services.
Fortunately, Linq to SQL makes the WCF-creation-side incredibly easy. Once I got someone at work to walk me through setting up a Windows web server and adding the web service (and buying access to an online web server), the Windows side was up and ready to go.
I'm still working through all of the syntax stuff on the SOAP interaction side, but keeping my different methods somewhat similar in structure allows me to tinker a little until it works. By this time, I think I've gotten it to work pretty well.
So, both answers I got back were (disappointingly) correct. The only way to interact is through a Web Service. Even the 3rd party solutions they mentioned were really just convenient wrappers around the same type of technology. As it turns out, I'd rather have finer control over the process.
One word of advice: Get a real, external web server. I tried doing this on a non-Server Windows VM on my iMac/MacBook Pro, and it was like pulling teeth! Once I actually got access to an external, full, stand-alone web server, the process was much more streamlined and easy. Do yourself a favor and take that headache out of the equation!
There was a SQL ISAPI extension as part of SQLXML, but I think it has been deprecated: http://msdn.microsoft.com/en-us/library/aa226559%28v=SQL.80%29.aspx
This was effectively a pre-built, and relatively open, web service - so I'm not sure this counts as a direct connection.
You could also check out http://odbcrouter.com/Main

Update a local/client Microsoft Access Database from a server (MS SQL Server2005)

I've got a website that runs on a shared hosting environment, using ASP.net 2.0 (C#) and MS SQL Server 2005. I've recently been asked if I can integrate my website with a piece of third party desktop software that uses the Access runtime as its database (transparent to the end user).
Primarily I want to be able to offer users of my website the option of exporting their data into the Access database on their local machine. The data schema's match sufficiently, the question is how to actually do this, and in the simplest way possible for the user.
Simply having a webpage update the local Access database isn't possible due to the obvious security restrictions. I've considered asking them to upload the Access database to the server, so I can migrate the data then allow them to download it again, however the competency of the users of this software is such that even locating the Access database, let alone uploading and downloading it from the website might be too complicated.
I've also considered if Adobe Air or Silverlight could help here, but don't know them well enough to know for sure. Similarly I'm assuming another exe could be written to perform this task that the user could simply download and run, however my experience is in web development, not program development, so this isn't a 100% certainty for me, or an ideal development option for me.
So, can this be done, and if so what technique can achieve this, with the stated aims being ease of use for the end user, followed by ease of development by someone with web development as their main skill. Many thanks!
You may find this answer of interest: Best way to stream files in ASP.NET
It is about transferring a file from the server. You could save Excel or CSV and use that to update Access.
Instead of trying to do this in a web page you might just expose some views from your sql server to some client specific logins.
Then within the Access application, allow them to tie to your sql server. You might even provide an access application for getting the data from your site and stuffing it in their local access database.
In my work we have done something similar that is transparent to the user by creating an ActiveX control. The problem is that you are limiting the users to use only Internet Explorer.
I think that the best way to achieve what you are trying to do is by installing a service in the client's computer. If creating a service is beyond your experience you can post a project in a place like oDesk and find somebody that can help you with the development for the money that you are willing to pay to complete your project.
Good Luck.

Resources