Service Fabric RunAs feature
By default, a Service Fabric application will run with the Network Service account. Microsoft has (partial) documentation on how to run it with other permissions: RunAs: Run a Service Fabric application with different security permissions.
Based on this, here's what I'm trying to do:
My Service Fabric application calls a library that is being developed in an other repository.
When deployed in the cloud, the services will download the binaries for the library from a storage, unzip them in a working directory of the Service Fabric cluster and load it from there.
At development time, when I'm testing or debugging the application in a local cluster, I want the binaries for the library to be loaded from some folder on my local hard drive where I have just compiled them, that is right next to the source code.
The tricky part is that my company's security policies require the source code of said library to be accessible only to authorized users, which translates into the folder containing this code being read-protected. As a consequence my Service Fabric application, which runs as Network Service, can't access my binaries. Changing the security policies is not possible, nor giving Network Service access to the folder.
How can I configure my application so that it runs as a user that would have the correct access rights ?
Here's what I already tried:
Using a domain user
The easiest solution would be to be able to run the Service Fabric application with my own login. I tried this by adding the following to my ApplicationManifest.xml:
<Principals>
<Users>
<User Name="SfUser" AccountName="Domain\UserName" AccountType="DomainUser" Password="pass" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="SfUser" />
</Policies>
This works: the application runs as Domain\UserName and can access all the folders I need. But this requires me to put my password in the configuration file, which is not satisfactory.
Using a local user
I then tried using a local user, thinking I would be able to configure access rights correctly using local user groups. The simplest version I could come up with is this:
<Principals>
<Users>
<User Name="SfUser" AccountName="LocalSfUser" AccountType="LocalUser">
<MemberOf>
<SystemGroup Name="MyLocalGroup"/>
</MemberOf>
</User>
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="SfUser" />
</Policies>
I think this configuration is correct since when I deploy my application I can see in Windows user manager that several "technical" users where created by Service Fabric and that they belong to MyLocalGroup. However my application never starts.
I noticed several messages in Windows event viewer that seem related to the problem:
Logon Type: 8
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Process Information:
Caller Process Name: C:\Program Files\Microsoft Service Fabric\bin\FabricHost.exe
Apparently, "Logon Type 8" means "Network clear text logon". I suspect a local policy preventing this kind of logon in my company.
When you run as a localuser, this creates a random local user account on the machine. The reason this is most likely failing in the example above is the <SystemGroup Name="MyLocalGroup"/> needs to be a valid Windows system group such as "Administrators". You also do not really need the AccountName attribute above, but it does no harm.
To solve you issue of getting a file from a remote directory you need to use a domain user as you tried since a local user does not have a shared secret that can be verified with AD. The difference is that you can encrypt the password in the application manifest using a certificate that is deployed to the machine. I have put an example ApplicationManifest.xml snippet below, showing how the password for the domain user is encrypted with a certificate called "MyCert".
<Principals>
<Users>
<User Name="TestUser" AccountType="DomainUser" AccountName="Domain\User" Password="[Put Encrypted Password Here" PasswordEncrypted="true" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="TestUser" />
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="TestUser" GrantRights="Full" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
As a side note the article here https://azure.microsoft.com/en-us/documentation/articles/service-fabric-application-secret-management show how to create the encrypted password in settings.xml which is also often useful.
Related
I had Configure the Domino Credential Store.
I had modified the Domino Proton Server settings that enable client authentication.
I created the Vault ID.
I created the IAM-store.nsf from template with error message.
Error executing agent 'DeleteExpiredDocs' in 'iam-store.nsf'. Agent signer 'Domino Template Development/Domino': You are not authorized to perform that operation
I gave the IAM's functional ID access to the database.
I installed the IAM services for domino with the following message.
result screen of install domino-iam-service-2.2.0.tgz
Since I would like to config the iam-services for my testing server.
I select to setup the pilot mode.
According to the tutorial, https://doc.cwpcollaboration.com/appdevpack/docs/en/iam_landing_page.html
I could access the demo database, with anonymous setting of proton server.
C:\src\domino-db\package>npm run ptest -- read serv.org.com:3003/App\node-demo.nsf -q "Form = 'Contact' and LastName = 'Moody'"
read the content of demo database
Config the pilot mode successfully.
What is doing wrong?
Error, when try to startup pilot mode of IAM Service
I have put all the certificates to the folder config/certs,
in which the certificates are created by create_certs.cmd from the tutorial.
And I have convert the ca.crt into ca.pem.
Besides, I also put the keys created by ProtonCA into the config/certs.
Keys created by ProtonMicroCA
According to the tutorial, I modified the make_certs.cmd as the following:
make_certs.cmd
the certificates are posted to the config/certs directory
I'm not sure about your complete setup, a support ticket would help us diagnose this better. There should be a ca folder in the config/certs directory that contains any root certs you're using (like the ca.pem you have)
I have already implemented this: https://github.com/Azure-Samples/active-directory-b2c-xamarin-native sample into an external app, but i got errors while login with an openid identity provider.
To reproduce this problem I checked out the latest master of the sample, tried to reproduce this error within the solution and it also occurs there.
I just changed the B2CConstants file values and everything is working for local accounts.
In my Azure B2C I have created 2 identity providers for different AD's in my signin/signup policy.
For Android and iOS everything works fine as expected, also the login with the identity provider.
If I log in with the UWP App via the identity provider i get the following error:
"We can't connect to the service you need right now. Check your network connection or try this again later."
This message shows up in the external Popup Window after Login (normally it should redirect back to the App without error)
In my external app, sometimes its possible to login via the identity provider if I first login with local account ⇒ logout and login again with identity provider credentials. But its not really a workaround because the error comes again on the next login.
I configured the identity provider with following documentation:
https://learn.microsoft.com/de-de/azure/active-directory-b2c/tutorial-add-identity-providers
I tried following things:
add Capabilities:
<Capabilities>
<Capability Name="internetClient" />
<uap:Capability Name="enterpriseAuthentication"/>
<Capability Name="privateNetworkClientServer"/>
<uap:Capability Name="sharedUserCertificates"/>
<uap:Capability Name="userAccountInformation"/>
<Capability Name="internetClientServer"/>
</Capabilities>
found it here:
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/issues/137
And tried also setting the registry and redirect url which is created from the app during execution:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/UWP-specifics#properties-of-platformparameter-specific-to-winrt-and-uwp-corporate-network
some additional information, I developed the identity provider login with a signIn/signUp (default) policy, that was working at the beginning, the error occurs only sometimes.
After I changed to a only signin (default) policy, the error occurs nearly every time (only works with the workaround which i described already).
Im not quite sure what im missing or doing wrong, hope someone can help me.
Thank you!
We are currently testing azure web-app functionality for our own apache application. The application works with non security, but the application itself needs direct active directory access via ldap.
Example settings inside the application:
<ldap>
<connectionUrl>wehavenoidea:389</connectionUrl>
<roleBase>OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</roleBase>
<userPattern>{0},OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</userPattern>
<roleSearch>member={0}</roleSearch>
<useIndirectLookup>1</useIndirectLookup>
<indirectAdminDN>CN=AdminUser,OU=AADDC Users,DC=ourdomain,DC=onmicrosoft,DC=com</indirectAdminDN>
<indirectAdminPassword>ourpassword</indirectAdminPassword>
<indirectUserBase>DC=ourdomain,DC=onmicrosoft,DC=com</indirectUserBase>
<indirectSearchFilter>sAMAccountName={0}</indirectSearchFilter>
<rolemap>
<role target="Admin">Admin</role>
<role target="Accounting">Accounting</role>
</rolemap>
</ldap>
I have set up the app registration inside azure active directory with the required permissions. I can't find the connection url for the AD though.
Does anybody here know how to set this up?
Kind regards
We have web application deploy on Azure App Service. Our database is also on Azure which is configured to use AAD authentication (We have assigned AAD Admin).
We are using below connection string in web app to connect to this server and database using below connections string.
Data Source=xxxxxxx.database.windows.net;Initial
Catalog=xxxxxxx;Persist Security Info=False;Authentication=Active
Directory Integrated
Please note: This connection string is working fine when using thru local system. But getting below error when we use this conn string in Azure App Service:
Failed to authenticate the user NT Authority\Anonymous Logon in Active
Directory (Authentication=ActiveDirectoryIntegrated). Error code
0x4BC; state 10 The format of the specified domain name is invalid
According to your description, I found you used the Active Directory integrated authentication.
To use integrated Windows authentication, your domain’s Active Directory must be federated with Azure Active Directory. Your client application (or a service) connecting to the database must be running on a domain-joined machine under a user’s domain credentials
If you published the web app to Azure, Azure's web app server will not be in your domain’s Active Directory. So the SQL server will not pass the auth.
I suggest you could try to use Active Directory password authentication instead of the Active Directory integrated authentication.
Replace the connection string as below use azure AD user name and password. It will work well.
Server=tcp:brandotest.database.windows.net,1433;Initial Catalog=bradnotestsql;Persist Security Info=False;User ID={your_username};Password={your_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Password";
Since the accepted answers are a bit dated, if you are out here in 2020 or later, the correct way for setting up integrated authentication is as follows:
(excerpted from here, the asp.net standard implementation)
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
add the Microsoft.Azure.Services.AppAuthentication nuget package.
modify your web.config by adding: (in configSections)
<section name="SqlAuthenticationProviders" type="System.Data.SqlClient.SqlAuthenticationProviderConfigurationSection, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
(and then)
<SqlAuthenticationProviders>
<providers>
<add name="Active Directory Interactive" type="Microsoft.Azure.Services.AppAuthentication.SqlAppAuthenticationProvider, Microsoft.Azure.Services.AppAuthentication" />
</providers>
</SqlAuthenticationProviders>
It's important to pay attention to the name you use there. Then... your connection string will look like:
<add name="MyEntities" connectionString="metadata=res://*/Data.MyDB.csdl|res://*/Data.MyDB.ssdl|res://*/Data.MyDB.msl;provider=System.Data.SqlClient;provider connection string="server=tcp:MyDB.database.windows.net;database=MyDB;UID=AnyString;Authentication=Active Directory Interactive;"" providerName="System.Data.EntityClient" />
The important notes are that the name you specify in the SqlAuthenticationProviders section must be the exact same name you use in the connection string for Authentication.
The other important note is that, coming from your old connection strings, you have to change Data Source to be Server, and Initial Catalog to be Database. UID=AnyString is necessary, or an exception is thrown.
Failure to follow these steps exactly will net you a lovely error:
System.Data.Entity.Core.EntityException: The underlying provider failed on Open. ---> System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> AdalException: The format of the specified domain name is invalid.\r\n at ADALNativeWrapper.ADALGetAccessToken(String username, IntPtr password, String stsURL, String servicePrincipalName, ValueType correlationId, String clientId, Boolean* fWindowsIntegrated, Int64& fileTime)\r\n at System.Data.SqlClient.ActiveDirectoryNativeAuthenticationProvider.<>c__DisplayClass2_0.b__0()\r\n at System.Threading.Tasks.Task`1.InnerInvoke()\r\n at System.Threading.Tasks.Task.Execute()\r\n --- End of inner exception stack trace
At the first the error doesn't make sense, but once you see that the parameters were renamed from Data Source to Server, it does make sense.
Maybe all you need to use is token (certificate) authentication as explained on below resource:
https://github.com/Microsoft/sql-server-samples/tree/master/samples/features/security/azure-active-directory-auth/token
Try to register your application with Azure Active Directory as explained on that resource.
Hope this helps.
I am unable to use cookieless sessions in SharePoint. Everytime when I click on a site or subsite a new session id is getting created which is not as per expected behaviour (it is visible in the URL). How can I use cookieless sessions in SharePoint?
Create a Shared Services Provider. This is required in order to enable Session State and its content database is the location of our session data. If you already have an SSP, you can use the existing one.
If needed, associate your web application with this SSP (done by default if it is your first SSP).
In Central Administration, under Application Management, choose Session State, and ensure that it is enabled.
From a command prompt, navigate to the Microsoft.NET 2.0 Framework directory
(typically: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727)
Modify your web.config:
Uncomment the following line:
<add name=”Session” type=”System.Web.SessionState.SessionStateModule” />
Modify the following line:
<pages enableSessionState=”true” … />
Run the following command:
aspnet_regsql.exe -S -d -ssadd -sstype c -E
where:
<server_name> is the database server where your database is located
<database_name> is the content database of your shared services provider
Run aspnet_regsql.exe /? for more information on the remaining options