Whenever the ldap_connect is attempted some users receive a "Insert Smart Card" pop-up box.
They have not logged in with a smart card in this session, but it appears that Windows certificate manager has cached certs from a previously used card.
Canceling the card prompt is causing failure with ldap_connect/ldap_bind, often no card is available to be presented.
This TechNet discussion seemed related, but ended only in 2 options
manually clear out certs
insert the smartcard
As ldap_connect is supposed to be indicating if the service is accessible, and we have a valid windows login with a session key that should have access to not only connect but authenticate for ldap_bind, the puzzle we have is why is it trying to do anything with a certificate at all
Is there a configuration that can be made so that AD LDAP doesn't try to use the cached cert for whatever it's using it for
LDAP API options?
Active directory LDAP service configuration?
Domain policy?
Related
I've been using CLASP for the development of Google App Script. Clasp login command is no longer working after Clasp logout.
Steps
Execute Clasp login in VS Code Terminal. It redirects to the Google OAuth page.
Entered credentials and accepted the required permissions for Clasp in the browser
After successful authentication, it redirects to some localhost:port and then it gets stuck with this error
I've also tried using clasp login --no-localhost, but it gave different error:
The problem is that your browser is forcing https:// on your localhost. The way clasp login works is that it creates a temporary local server to receive the authorization code from Google in the OAuth flow. This server won't have an SSL certificate so forcing an https connection will return that error. Your potential solutions are:
Try to just change the start of the URL from https:// to http://, though if it's not working already it probably means that something is forcing it.
Create your own localhost cert. Though this is probably overkill, especially if you want it only to install Clasp.
Temporarily disable any browser extensions or settings that force SSL. Or try a different browser.
You seem to be on Edge, you can go to edge://net-internals/#hsts (or chrome://net-internals/#hsts on Chrome) then add localhost under "Delete domain security policies" and click "Delete".
If this is a corporate device check for any antivirus or policies that would force SSL everywhere and see if you can add localhost as an exception.
If you're completely restricted, you can authorize on another computer that doesn't force SSL on you and just copy the .clasprc.json file from the other %USERPROFILE% folder to your current one. The credentials will be associated with the Google account that you used to sign in.
As for why the -no--localhost flag doesn't work, this is because the Out-Of-Band flow has been deprecated. You can see this in the full description of the error:
This means that the "enter a code" flow is no longer supported and Google has blocked it. It's up to the devs to update the Clasp app to remove the flow or to implement a workaround. You can try to report it in their Github page. As far as I can tell there's not much that can be done about this setting and you most likely will need to go with the localhost method.
Is there a setting necessary to be enabled for APIM to forward remote debugging calls to its associated app service? When I portqry, the port is reported as Filtered, not Listening.
There is a workaround to the problem. First, download the latest publishing profile for the app service and open it. With the project loaded, select Debug > Attach to Process. Use the destinationAppUrl in the profile for the Connection target. Append the url with ":4024" and tap "Enter". That will start the connecting to the cloud debugger for the app service. A login dialog should appear. Use the
first userName and userPWD values to fill the dialog. When entering the userName, prefix it with a backslash so your local domain is not applied. Select the Attach button.
From my experience to date, multiple attempts may be necessary. When that fails, try disabling Debugging in the app service and re-enabling with saves in between. Also restarting the app service might assist.
In my wp8 app,
I enter a open wifi which is operated by communication operator
blocked by a portal page that needs using account and password to log in
after I post some data to a https url
I have the ability to use the wifi network to access to internet freely.
Now,I encounter a problem:
before the https connection established successfully,it will be running the Online Certificate Status Protocol (OCSP)
OCSP needs to access to CA like veriSign to verify the server certificate status
but I have no internet access at this moment.
So,my app return a Webexception whose description is "The remote server returned an error: NotFound".I think it is because of the failure of OCSP.
Based on above,I want to find a solution to sovle this:
My point is to disable the OCSP mechanism,Do you know how to do this?
And I also would like to know if there is another solution to sovle the problem.
Hope your advice,Thanks!
The way you'd do that on .NET is to set the ServicePointManager.ServerCertificateValidationCallback delegate and perform the logic you want to perform. But, unfortunately that is not yet available on Windows Phone.
There are various uservoice suggestions related to this, for example:
http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/2146033-allow-self-signed-and-corporate-certificates-for-s
http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/4299617-client-ssl-certificate-authentication
They don't apply to you directly, but if they end up gaining access to ServicePointManager then you'll be able to do what you want to do.
I'm developing a Chrome App, which connects to the server over SSL. Of course, the certificate is self-signed.
In the Chrome browser, it's not a problem because Chrome opens a security warning page. If user chooses to continue to the website, it goes on to the remote page. However, in the Chrome Apps, it doesn't give such a warning page asking user whether to go on or not. Instead, a connection error is thrown out in the console.
To workaround this problem, the user has to connect to the page in the browser once and accepts the certificate, and then he/she could proceed in the Chrome Apps.
I'm wondering how to deal with this issue in the Chrome Apps directly?
If server uses self signed certificate then there's nothing you can do.
There are two other ways though, which requires server side certificate changes
and depending on those changes user may or may not have to do some settings in browser
Update the server with a Trusted CA issued certificate.
This does not require user to do any setting.
Examples for trusted CAs are GoDaddy, VeriSign etc,.
You can check the list of Trusted CAs in chrome://settings -> HTTPS/SSL -> Manage certificates -> Trusted Root Certificate Authorities
Update the server with a any other CA issued certificate.
Then provide a way for user to download the certificate and then user has to install/import it in his/her system/PC
Once certificates is installed or imported, you can check chrome://settings -> HTTPS/SSL -> Manage certificates -> Trusted Root Certificate Authorities to confirm that its installed into "Trusted Root certificates" folder. Only if certificate is imported into this folder there will be no errors in console for SSL connections.
Of course if you do not want do all this then there is a workaround as you mentioned to tell user to connect to the page in the browser once and accepts the certificate, and then he/she could proceed in the Chrome Apps
http://www.startssl.com/?app=1 provides free SSL certificates. Try having your customers get one of those instead of training your users to accept insecure connections. Or put the insecure connection over http:, which declares the intention to be insecure.
We have an active directory domain (let's call it foodomain) and a domain user account (foodomain\fooAppPoolUser) used for the IIS application pool identity.
We want to run the app pool under this user account and not under Network Service or the new AppPoolIdentity as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
I hope I was clear enough what the question is and hope somebody has an answer.
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
Run aspnet_regiis -ga DOMAIN\USER to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference
Add the user to the IIS_IUSRS group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself.
If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication - (Often not available by default on locked-down environments)
Log on as a batch job - (Often not available by default on locked-down environments)
Log on as a service - (I'm not sure this is needed)
Replace a process level token
If you're using windows auth and Kerberos (provider=Negotiate) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you.
Fun reading:
Default permissions and user rights for IIS 7.0, 7.5, 8.0. This is the best reference, see the user rights at the bottom.
User Rights (on Windows Server 2008, but still interesting and helpful as it's a long article you can CTRL+F to find IIS-related comments)
User Rights Assignment on Server 2008 R2+. You have to drill into each right to see what it mentions about IIS.
How To: Create a Service Account for an ASP.NET 2.0 Application - pity there's no more recent version of this article.
SPN Checklist for Kerberos on IIS7/7.5
How to use SPNs - applies to IIS6 or to 7/8 if Kernel-mode authentication is turned off.
The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.
First I got errors (unfortunately I can't remember which ones), then
I added fooAppPoolUser to the local admin group (Administrators, I
know, was only to test), then it worked. Now I removed the user again,
restarted IIS and it still works.
I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.
More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.