Here is what I've been trying to do
Build an ASP.NET MVC 3 application with forms authentication and active directory membership. The web server and database are different physical servers hence a double hop.
I thought the answer was this older article on constrained delegation and protocol transition? So far, I have not been able to get the technique to work.
I'm testing this from my DEV machine (Windows 7, IIS7) for the web server before deploying to windows 2008 (IIS7) in the production setup. Would windows 2008 make a difference?
What works and what fails
I'm able to login with forms auth and the AD membership. This seem to be working fine. When I try to make a database call using this code:
public void AsUser(Action action)
{
using (var id = new WindowsIdentity(User.Identity.Name + #"#example.com"))
{
WindowsImpersonationContext context = null;
try
{
context = id.Impersonate();
action.Invoke();
}
catch (Exception ex)
{
// ex.Message is The type initializer for System.Data.SqlClient.SqlConnection threw an exception
// buried inner exeption is Requested registry access is not allowed
}
finally
{
if (context != null)
{
context.Undo();
}
}
}
}
It fails with an exception leading me to believe I have setup issues on my local DEV server. The inner exception is Requested registry access is not allowed.
If I set a breakpoint and inspect the WindowsIdentity after the Impersonate() call I see that the ImpersonationLevel is set to Identification. This seems like a clue that it is not setup correctly. Can anyone confirm?
Am I on the right track and is this even possible to setup? Any pointers would be appreciated.
I think you are on the right track. You just need more troubleshooting work on your protocol transition setup.
I assume you configured your Active Directory membership provider correctly so that you can successfully logon your web page using the active directory user name and password. If that's not the case, please ignore the rest of my answer :)
From what I saw in your question, you got your user's token using S4USelf by WindowsIdentity. Then, you are using S4UProxy to pass the impersonated token to SQL server. Since you said you got ImpersonationLevel.Identification only, it means you failed to do protocol transition.
You need to understand that allowing one machine to do protocol transition in a domain is very high privilege. Granting a server to do protocol transition almost means that you trust that server to be almost like a domain controller. You need to consciously make this decision in AD to turn a server to have this ability and you have to be a domian administrator to make this change. If you haven't done this, you probably didn't setup your thing properly.
There are couple things to check.
First, make sure you selected "Trust this computer for delegation to specified services only" and then you picked "select Use any authentication protocol" on your service account. You may like to create a domain account. Here is a link on how to create a service account for ASP.NET. Remember, you need a domain account. After you created a domain service account, make sure you go to the delegation tab on that account and selected the correct options.
Second, you need to make sure SPNs are set properly. I realize that the link that you posted only mention the SPN of your ASP.NET service account. Actually, you also need to make sure the service account on your SQL server also set properly. Otheriwse, Windows won't use Kerberos authentication at all. It will fall back to use NTLM. There are a lot of details to setup a SPN correctly on SQL server. You can check here first and see if you have any luck. From my experience, most of the DBA don't know how to set them up properly. They don't even aware of it because most applications work fine with NTLM. You need to pay attention to the SQL server service account and the port number that it's using.
Third, you need to make sure there is nothing disabling your Kerberos delegation. Some sensitive AD accounts are by default not allowed to be delegated. For example, the built-in administrator account. So, you better use some other normal user accounts for testing purpose.
UPDATE
I just found another article teaching you how to setup the protocol transition for ASP.NET. It mentioned that you need to grant TCB right to the IIS service account in order to make sure it can create a Impersonation type WindowsIdentity. You can give it a shot.
Here the class I use. Also, you'll want to check and see if the process that the AppPool is running under has enough permission to do the impersonation since it is such a privileged activity. I would give the user account that the app pool is running under temporary admin privileges (dev box only of course) and see if it works so you'll know if it is a permissions issue.
public class ImpersonationHelper : IDisposable
{
private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private WindowsImpersonationContext _impersonationContext;
private string _userName;
private string _domain;
private string _password;
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
public ImpersonationHelper(string domain, string userName, string password)
{
_userName = userName;
_domain = domain;
_password = password;
}
public void Start()
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
_impersonationContext = tempWindowsIdentity.Impersonate();
if (_impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
}
#region IDisposable Members
void IDisposable.Dispose()
{
if (_impersonationContext != null)
{
_impersonationContext.Undo();
}
}
#endregion
}
Have you enabled Impersonation on the Windows 7 or Windows 2008 machine? This article covers how to set it up. http://technet.microsoft.com/en-us/library/cc730708(WS.10).aspx. Also, are you running 32-bit or 64-bit?
You should also check with your AD administration to see if Impersonation is allowed. My companies AD policies won't allow impersonation.
I think you have identified the problem but no one has mentioned it. The "double hop" issue is not going to allow you to do this. It's not possible. There are lots of people who have written about it such as Scott Forsyth.
When you authenticate to the IIS
server using Integrated
Authentication, that uses up your
first 'hop'. When IIS tries to access
a network device, that would be the
double or second hop which is not
allowed. IIS cannot in turn pass on
those credentials to the next network
device, otherwise the developer or
administrator could abuse your
credentials and use them in ways that
the site visitor didn't anticipate.
This doesn't occur with anonymous
access or with impersonation off
because in that case IIS takes care of
authenticating you and then it uses a
different user for local or network
access. This means that the app pool
identity or anonymous user can make a
network call as the first hop.
I think it's pretty clear that you cannot pass your credentials any further than the first connection.
Related
EDIT2: I have managed to get past the GlobalDatastoreConfig has already been set error. I managed to pinpoint all the locations that were getting called before the init function. They were in static space in some weird files.
I have now pointed ALL DatastoreServiceFactory.getDatastoreService() to a new static function I've created in a file called Const.java.
private static boolean hasInit = false;
public static DatastoreService getDatastoreService() {
if(!hasInit) {
try {
CloudDatastoreRemoteServiceConfig config = CloudDatastoreRemoteServiceConfig
.builder()
.appId(CloudDatastoreRemoteServiceConfig.AppId.create(CloudDatastoreRemoteServiceConfig.AppId.Location.US_CENTRAL, "gcp-project-id"))
.build();
CloudDatastoreRemoteServiceConfig.setConfig(config);
hasInit = true;
} catch (Exception ignore) {}
}
return DatastoreServiceFactory.getDatastoreService();
}
This returns no errors on the first initialisation. However, I am getting a new error now!
Dec 08, 2022 6:49:56 PM com.google.appengine.api.datastore.dev.LocalDatastoreService init
INFO: Local Datastore initialized:
Type: High Replication
Storage: C:\Users\user\dev\repo\Celbux\core\Funksi179_NSFAS_modules\classes\artifacts\Funksi179_NSFAS_modules_war_exploded\WEB-INF\appengine-generated\local_db.bin
Dec 08, 2022 6:49:56 PM com.google.appengine.api.datastore.dev.LocalDatastoreService load
INFO: Time to load datastore: 20 ms
2022-12-08 18:49:56.757:WARN:oejs.HttpChannel:qtp1681595665-26: handleException / java.io.IOException: com.google.apphosting.api.ApiProxy$CallNotFoundException: Can't make API call urlfetch.Fetch in a thread that is neither the original request thread nor a thread created by ThreadManager
2022-12-08 18:49:56.762:WARN:oejsh.ErrorHandler:qtp1681595665-26: Error page too large: 500 org.apache.jasper.JasperException: com.google.apphosting.api.ApiProxy$RPCFailedException: I/O error
Full stacktrace: https://pastebin.com/YQ2WvqzM
Pretty sure the first of the errors is invoked from this line:
DatastoreService ds = Const.getDatastoreService();
Key ConstantKey = KeyFactory.createKey("Constants", 1);
Entity Constants1 = ds.get(ConstantKey) // <-- This line.
EDIT1: I am not using Maven. Here are the .jars I have in WEB-INF/lib
appengine-api-1.0-sdk-1.9.84.jar
appengine-api-labs.jar
appengine-api-labs-1.9.76.jar
appengine-api-stubs-1.9.76.jar
appengine-gcs-client.jar
appengine-jsr107cache-1.9.76.jar
appengine-mapper.jar
appengine-testing-1.9.76.jar
appengine-tools-sdk-1.9.76.jar
charts4j-1.2.jar
guava-11.0.2.jar
javax.inject-1.jar
json-20190722.jar
Original Question:
The company that I'm working at have a legacy GCP codebase written in Java. This codebase uses the appengine-api-1.0-sdk.jar libary. Upon running this CloudDatastoreRemoteServiceConfig code in the very first place that our DatastoreService gets initialised, it says that the config has already been set.
If someone can shed light on how to get this outdated tech connected to the Cloud via localhost, I'll be most grateful!
web.xml
<filter>
<filter-name>NamespaceFilter</filter-name>
<filter-class>com.sintellec.funksi.Filterns</filter-class>
</filter>
<filter-mapping>
<filter-name>NamespaceFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Code
public class Filterns implements javax.servlet.Filter {
public void init(FilterConfig filterConfig) {
try {
CloudDatastoreRemoteServiceConfig config = CloudDatastoreRemoteServiceConfig
.builder()
.appId(CloudDatastoreRemoteServiceConfig.AppId.create(CloudDatastoreRemoteServiceConfig.AppId.Location.US_CENTRAL, "gcp-project-id"))
.build();
CloudDatastoreRemoteServiceConfig.setConfig(config);
DatastoreService ds = DatastoreServiceFactory.getDatastoreService();
} catch (Exception e) {
System.out.println(e);
return;
}
this.filterConfig = filterConfig;
}
}
I got this code snippet from here.
Was thinking a few ideas:
Perhaps there's GCP code that's called before our Java code which initialises the Local DB
Perhaps I need to set a global environment variable to point this old emulator to a Cloud Configuration instead
Only problem is I have no idea what to do from here, hoping someone has experience on the legacy Java library here.
To clarify; I am trying to get this outdated GCP Java codebase (appengine-api-1.0-sdk.jar) to connect to Cloud Datastore, NOT use the Local Datastore Emulator. This is so I can debug multiple applications that all access the same Cloud DB
It is very difficult to say especially with that amount of code and we can only guess but, as you indicated, probably some code is initializing your DataStore configuration, probably the SDK itself. You could try setting a breakpoint in the setConfig method of CloudDatastoreRemoteServiceConfig and analyze the call stack.
In any way, one think you could also try is not performing such as initialization in your code, delegating to Application Default Credentials the authentication of your client libraries.
For local development you have two options to configure such as Application Default Credentials.
On one hand, you can use user credentials, i.e., you can use the gcloud CLI to authenticate against GCP with an user with the required permissions to interact with the service, issuing the following command:
gcloud auth application-default login
Please, don't forget to revoke those credentials when you no longer need them:
gcloud auth application-default revoke
On the other, you can create a service account with the necessary permissions and a corresponding service account key, and download that key, a JSON file, to your local filesystem. See this for instructions specific to DataStore. Then, set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the downloaded file with your service account key.
Again, a word of caution: take care of the downloaded service account key file and never put it under version control because anyone with that file could assume the permissions granted to the service account.
You code should work without further problem when running in GCP because probably you will be using a service that supports attaching a service account which means that Application Default Credentials are provided by the GCP services per se.
I am using ReportViewer to show the reports on my windows WPF application using .Net 4.0. These reports are deployed on a separate SSRS 2008 report server and not the local machine. Right now, I am passing the credentials of the server in the following manner:
string userName = configClient.Settings.Get("UserName").Value.ValueXml.InnerText;
string password = configClient.Settings.Get("Password").Value.ValueXml.InnerText;
string domain = configClient.Settings.Get("Domain").Value.ValueXml.InnerText;
IReportServerCredentials irsc = new ReportViewerCredentials(userName, password, domain);
_reportViewer.ServerReport.ReportServerCredentials.NetworkCredentials = irsc.NetworkCredentials;
Also, I am using the following settings with the ReportViewer if it is of any use:
_reportViewer.ProcessingMode = ProcessingMode.Remote;
_reportViewer.ShowParameterPrompts = false;
_reportViewer.ServerReport.ReportServerUrl = new Uri(Properties.Settings.Default.ReportServer);
_reportViewer.ServerReport.ReportPath = Properties.Settings.Default.Reports;
I am using the config file to save and retrieve the credentials for the server access, but I do not think this is a secure way of doing it. I would like to implement this in a secure way where I do not need to take the credentials from the user or from the config file. Both the local machine and the server would be on the same network.
I am not sure how to do it, can this be done through impersonation, I am just guessing as I do not have much idea about security and impersonation. Also, if it can be done, can I get a sample or may be a link to an article through which I can get this done.
The core idea is to avoid storing the username and password on the client. I searched for solution but what I got was very vague in nature.
Please do not close this thread as it is an open question, but it is important for me, as I am approaching deadline and working on too many things at a time. Sorry for inconvenience caused if any.
I have found a way to not pass the credentials at all and still be able to retrieve the reports from the Reports Server, but not without help.
I have configured a new Role assignment in the Report Manager using the URL http://localhost/Reports/Pages/Folder.aspx. Go to Properties tab, and add a New Role Assignment and add Everyone and provide the required right to it.
This way, I would not need to pass any credentials from the client for the ReportViewer. Also, it can be used to configure the access for a selected users.
on one server i have www with silverlight web application. In a diffrent place in the world is the secound server with sharepoint 2010 fondation. While client connects to www server, the silverloght web application goes to him, and then trying to read list elements from sharepoint. On client desktop comes Windows - login window, after client provide username and the password, application can read the list items.
Question:
how to login IN THIS CASE from silverlight application without user prompt.
part of my code (reads only list infromation):
SilverlightApplication2.listsWebService.ListsSoapClient lws = new SilverlightApplication2.listsWebService.ListsSoapClient();
public MainPage()
{
InitializeComponent();
lws.GetListCompleted += new EventHandler<listsWebService.GetListCompletedEventArgs>(lws_GetListCompleted);
lws.GetListAsync("PagesContent");
}
void lws_GetListCompleted(object sender, listsWebService.GetListCompletedEventArgs e)
{
deltaValue.Text = e.Result.Value;
}
It can be very confusing when solving Silverlight auth in Sharepoint. I know this is possible when using Forms authentication, through web service called autentication.asmx.
With Windows authentication, I always used current logged user (which is SL default behavior).
I don't know if that can be changed from inside SL..
Here is one article that may help...
Sorry for such answer... :)
I would like to create a C# WinForms application which will create web requests to servers that require username and password (Basic authentication).
I want to save the password locally (encrypted of course) on the machine that runs the application.
Basically, I need something that operates as Keychain in iOS, or "secure storage" in eclipse, only for .NET
I've found the Credential Manager in Windows, but all API examples are from .NET Framework V2.0
Isn't there a normal API from Microsoft about how to use it in C#?
Windows applications can use DPAPI for that, the Data Protection API, which stores secrets on a computer, encrypted (indirectly) with a user's login credentials. Any process that runs with the user's privileges can access this data. Optionally you can let the user add his own password (for this one item / secret) if you like (PrompStruct). The DPAPI is also accessible via C# (there are examples on the net).
You can store the credentials in a section in app.config and then encrypt the section (similar to what you'll do in web.config for a web application).
You can use SectionInformation.ProtectSection to protect the section, and SectionInformation.GetRawXml to retrieve the encrypted info (decryption is done transparently).
Example (taken from the MSDN article below):
static public void ProtectSection()
{
// Get the current configuration file.
System.Configuration.Configuration config =
ConfigurationManager.OpenExeConfiguration(
ConfigurationUserLevel.None);
// Get the section.
UrlsSection section =
(UrlsSection)config.GetSection("MyUrls");
// Protect (encrypt)the section.
section.SectionInformation.ProtectSection(
"RsaProtectedConfigurationProvider");
// Save the encrypted section.
section.SectionInformation.ForceSave = true;
config.Save(ConfigurationSaveMode.Full);
// Display decrypted configuration
// section. Note, the system
// uses the Rsa provider to decrypt
// the section transparently.
string sectionXml =
section.SectionInformation.GetRawXml();
Console.WriteLine("Decrypted section:");
Console.WriteLine(sectionXml);
}
http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx
I am trying to impersonate a domain user account in a WPF application so the application can write to a folder on the network. The domain user has sufficient rights to write to this location.
I'm using some code found on the net to perform the impersonation.
Basically, it calls the native LogonUser method which returns a security token, then create a new WindowsIdentity passing the token and finally calling the windowsIdentity.Impersonate() method.
I get no exceptions executing above logic.
Calling WindowsIdentity.GetCurrent() -> returns impersonated identity.
Writing to the UNC path -> UnauthorizedAccess exception.
So, I inspect the Thread.CurrentPrincipal object before I try to write the file, this has a GenericPrincipal, and not a WindowsPrincipal with the impersonated WindowsIdentity.
So in the startup of the application I set the AppDomain.CurrentAppDomain.SetPrincipalPolicy to PrincipalPolicy.Impersonate.
I restart my application...
Before my call to impersonate, i can see my own credentials on Thread.CurrentPrincipal, the ones that i'm using to log onto my development machine and which is executing my WPF program.
I again try to run the impersonation logic, again I see the impersonated identity on WindowsIdentity.GetCurrent, all seems fine, no exceptions
However on Thread.GetCurrentPrincipal I still see my own credentials, and if I look at the AuthenticationType property, there is an UnauthorizedException (which is only visible in the debugger, it is not being thrown in the application !!). I let the code run.
Again, UnauthorizedAccess when trying to write my file on the UNC location.
Last thing I tried is to create a new WindowsPrincipal with WindowsIdentity.GetCurrent()
and I explicitly set it on Thread.Current, but same result.
UnauthorizedAccess when a write to the UNC location.
I'm out of ideas :)
Does the machine with network share belong is in the domain?
Did you try accessing network share using that domain account? For instance using "Run As...".
In LogonUser function try to use LOGON32_LOGON_NETWORK flag, when doing logon.
Also to see if impersonation actually took place try to enable auditing of Logon/Logoff events from security policy (info link)