I'm currently implementing a solution, where an external tool is making posts to the Connections API. These calls are made via basic authentication with a service account configured in the external tool.
However, I need the posted content in Connections to appear as posted by another user than the service account (users ids/emails are known to the external tool). Is there any way, the service account can post on behalf of others/impersonate users when posting to the API?
You need to add support for your the external user account to the right websphere roles
These Application / Roles are:
WidgetContainer trustedExternalApplication, admin
You can follow this article to set it up on your system.
In order to give a user administrative access to widgets, we can assign some privileges to one of the users - fadams.
You need to start the deployment manager on the quickstart.
Connect to the system via SSH
sudo /etc/init.d/ConServer_DM_was.init start
Navigate to https://${HOSTNAME}:9044/ibm/console/login.do?action=secure
Enter User ID : wasadmin
Enter Password : lcsecret
Click Login
Expand Applications > Application Types
Click on WebSphere Enterprise Applications
Select one of the Applications (from the table)
Application Role
Homepage admin
WidgetContainer trustedExternalApplication admin
Communities widget-admin admin
Profiles admin
Click on Homepage
Click on "Security role to user/group mapping"
Select One of the Roles (Admin)
Click Map Users
Enter Search String - fadams
Click Search
Click the Right Arrow
Click Ok
Click Ok
Click Save
Repeat for Each Application and Each Role in the Table Above
....
Click System Administration on the Left
Click on Nodes
Check localhostNode01
Click Synchronize
The Servers are now synchronized with your updates to the roles.
Click Servers > Server Types > WebSphere application servers
Check conServer
Click Restart
Once you see the Green arrow again, the connections server is fully restarted
Navigate to https://${HOSTNAME}:444/homepage
Login as fadams with your password
You should see administration on the left side of your connections instance
http://www-10.lotus.com/ldd/appdevwiki.nsf/dx/How_to_update_the_quickstart_to_support_Widgets
Related
Every 3 months, we have a requirement to force a user to an app to update their contact info (this is an in-house app, and we also will have situation that is an app to update emergency alert phone and email addresses) before they can access any other apps on the onelogin dashboard. Once a user has updated their info, then they can access the onelogin dashboard as usual. Do you have any examples or provide any ideas of how this could be done?
An account administrator can log into their companies onelogin portal.
In the upper right hand corner there is link Administration click it.
In the administration panel hover over the Security tab and select Policies when it appears.
Start a new policy. On the left side there is a tab Password. This allows you to enforce the password age policy.
Once the policy has been configured, it just needs to be applied to the users.
I am getting below error while generating the SQL scripts using a web installer with Integrated security as true /Windows authentication mode on.
It works perfectly fine with SQL authentication mode.
The server principal "DOMAIN\MACHINENAME$" is not able to access the database "" under the current security context.
Regards
Web Installer Issue -DB Issue -The server principal
“DOMAIN\MACHINENAME$” is not able to access the database
First, if you access a private database by your current account, you should make sure that your current account is under the domain.
Then, if you have web.config file in your project, add <identity impersonate="false" /> under <system.web>.
===================
If you use SQL Server,
1) login into it and check whether you can access the database's info. Or just change another
2) Go to SQL Server --> Security --> Logins and right click on NT AUTHORITY\NETWORK SERVICE and select Properties
In newly opened screen of Login Properties, go to the User Mapping tab. Then, on the User Mapping tab, select the desired database – especially the database for which this error message is displayed. On the lower screen, check the role db_owner. Click OK.
=================
If use you SSMS,
Open SSMS --> Security --> Logins.
Right click NT AUTHORITY\NETWORK SERVICE and Click Properties.
Go to Status tab and set Permission to Connect To Database Engine To Grant.
==================
If you use IIS manager,
open IIS manager-->your application pool --> advanced setting-->set custom account under Identity menu-->then enter your domain user name(DOMAIN\USERNAME) and password.
Or you could just click Identity--> slectBuild-in Account and choose NetworkService.
We have an Azure Active Directory Enterprise Application which we have invited users to use. We can invite any email address and they can sign up, then they can go to myapps.microsoft.com and see the app, this is all working great.
However, one problem is on the right side of the myapps.microsoft.com (aka https://account.activedirectory.windowsazure.com/r#/applications) on the right hand side there's a group icon:
I click on this groups icon and then All Users, I can see every single user inside our instance of Azure AD, how can I prevent this?
You can enable Guest user permissions are limited from portal.azure.com -> Azure Active Directory -> User settings -> External collaboration settings. This should prevent guests from seeing other users. If this is not enabled, guests can see a full user list at e.g. portal.azure.com.
I have an active directory in MS Azure. I want my colleague to use the same directory so that we can do some RND on the same. I have already created user for them using their hotmail id. I have also changed the user role to "Global Admin" for them. They cant see any option to access the same active directory after log in. Is there any way they will give the url like
https://manage.windowsazure.com/#IamNewInAzurehotmail.onmicrosoft.com#Workspaces/All/dashboard
and log in with their hotmail account.
You need to add him in Administrators List in setting option of Azure Panel.
Steps:
Login to Azure Portal with Root administrator.
Go to left panel and select Setting.
Go to Administrators tab in right side pane.
Click on Add button in task pane and add his hotmail or Organisation ID for Co- Administrator, Select the subscription in which you want to allow him.
Click on tick mark to apply these settings.
I have a website running on a Windows 2003 server on IIS 6, serving pages for a LAN where everybody is working with a domain account. On other machines this works fine, no-one has to login to the website, the dynamic scripts pick-up the account-name from the HTTP request.
Only, when browsing from the server itself (via remote desktop e.g.), Internet Explorer still pops up the domain-login-dialog when navigating to this site. (both the usual URL and http://localhost/). This was no problem on the Windows 2000 server we recently migrated the website from.
I had this problem or similar and solved it by:
adding http://localhost to list of Intranet sites, via IE > Tools > options > security > Local intranet > Sites > advanced > add http://localhost. (This is necessary if you have IE Enhanced Security installed which assigns all intranet Web sites and all UNC paths that are not explicitly listed in the Local intranet zone to the Internet zone, even localhost or other domains that don't contain '.' symbol which would normally be considered intranet by default.)
also on Security > Local Intranet > see what level of security you're on, to ensure that logon details are passed through. If it's Custom then click the Custom Level... button, scroll right to the bottom, under User Authentication > logon > for me it's 'Automatic logon only in Intranet zone', which works.
Did you configure IE on your Windows 2003 box for "Enable Integrated Windows Authentication"? This needs to be configured in IE6 to automatically use the logged-in user credentials.
You'll probably have better luck on ServerFault for this issue, as it's probably down to server configuration. Take a look at this KBAlertz.com article, yes it's specific to SharePoint, but some bits are more general. I suspect (given that you've said you've migrated to a new machine), that the issue is around the new machine not being "trusted for delegation" so look at the part titled "Configure trust for delegation for Web parts"
Configure trust for delegation for Web
parts To configure the IIS server to
be trusted for delegation, follow
these steps:
Start Active Directory Users and Computers.
In the left pane, click Computers.
In the right pane, right-click the name of the IIS server, and then
click Properties.
Click the General tab, click to select the Trust computer for
delegation check box, and then click
OK.
Quit Active Directory Users and Computers.
If the application pool identity is
configured to use a domain user
account, the user account must be
trusted for delegation before you can
use Kerberos authentication. To
configure the domain account to be
trusted for delegation, follow these
steps:
On the domain controller, start Active Directory Users and Computers.
In the left pane, click Users.
In the right pane, right-click the name of the user account, and then
click Properties.
Click the Account tab, under Account Options, click to select the
Account is trusted for delegation
check box, and then click OK.
Quit Active Directory Users and Computers.
If the application pool identity is a
domain user account, you must
configure an SPN for that account. To
configure a SPN for the domain user
account, follow these steps:
Download and install the Setspn.exe command-line tool. To do
so, visit the following Microsoft Web
site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en)
Use the Setspn.exe tool to add an SPN for the domain account. To do
so, type the following line at the
command prompt, and then press ENTER,
where ServerName is the fully
qualified domain name (FQDN) of the
server, Domain is the name of the
domain, and UserName is the name of
the domain user account:
Setspn -A HTTP/ServerName Domain\UserName