As the title says - we have a domain with a DC running Windows Server 2003 that is allowing any authenticated user to add workstations to the domain. Currently in the Default Domain Policy, we have configured it to only allow Administrators to have this ability (also, this policy is applied to Authenticated Users):
Windows Settings -> Security Settings -> Local Policies/User Rights Assignment -> Add Workstation to Domain: BUILTIN\Administrators, DOMAIN\Domain Admins
What did we miss, or how might it be misconfigured to keep allowing any authenticated user to add workstations to the domain?
Thanks in advance for the help.
first check : which users are in Domain Admins group ?
Related
I have a server 2012 box running IIS. I am trying to change the admin password for the OS, but it is breaking permissions/access for IIS. I have since reverted back to the old password and all works. What do I need to change in addition to the OS to make the new password work for IIS sites?
Open IIS
Select Application Pools
right-click on your pool and select Advanced settings...
Edit the Identity setting with your credentials
For mine, I set the Custom Account. I have to update this every time I change my credentials.
Have you tried synchronizing the new passwork in IIS, in the sites thats don't work?
Check site credentials, specially if using a "specific user" (as opposed to pass-through authentication) at:
IIS console-->Click on site-->Click Basic Settings (on the Action panel)-->Connect As
There you can synchronize the password registered in IIS with the current user password, but take note that if this works, then something is wrong with your configuration since the logged on user (the admin as you mentioned) shouldn't be used to access site data/folders. It's way too risky!!
If you're using pass-through authentication, check the configuration of the application pool that the site is using, but I repeat: If changing/synchronicing the admin's passwork solves your problem, then you must have some bad configuration in place.
I have a server which is part of a domain. When I publish a web application from Visual Studio with a domain user everything is ok. But when I try to publish with a local machine user (not part of a domain) I get ERROR_USER_NOT_ADMIN. Both users are in Administrators group. I tried specifying user as username, .\username and machinename\username but it's not working. Is there anything else I should do to be able to publish with a local machine user?
I received this error when I published with an incorrect password.
Not the best answer in the world but I post this to point out that an incorrect password does indeed return this exact error though you would never know it when you read the error message.
This error can also be received when deploying ASP.NET Core application with Visual Studio 2015. In order to fix the problem in this case, add the following lines in the .pubxml file:
<ADUsesOwinOrOpenIdConnect>False</ADUsesOwinOrOpenIdConnect>
<AuthType>NTLM</AuthType>
You can't do that, server you aim to publish in to needs an authorized domain account to allow access to your Visual Studio publishing service. Local accounts are specific to your local machine regardless whether they are administrator logins. They are just local admin login not domain admin logins.
Get your administrator to set up a domain user (don't use domain admin accounts this is a security risk) for publishing purposes or use your current domain user account
I'm contacting a web service using a certificate stored in Machine and in user space "myUser".
When I contact the web service impersonating "myUser" from a win application all works well.
But when I contact this using Sharepoint context (I have only 1 frontend) I have only sometimes the following error:
Could not establish trust relationship
for the SSL/TLS secure channel with
authority 'server.host:4443'
I verified that the web service is invoked using user "myUser" as expected but in Sharepoint context sometimes this method crashes.
I don't know what can be the problem. It seems related to Sharepoint/ASP.NET security context but all seems to be ok. Any suggestion?
I think that the only sometimes is the important point here.
Since it works most of the time it is actually setup and configured ok.
The machine that you are sending the certificate to must be able to validate the certificate. My guess is that something is going wrong sometimes. Things that could cause this are:
a network problem, firewall ...
AD server down (I am assuming a self issued certificate)
AD server too busy
Check the event logs of your AD and Sharepoint server.
Have you granted access to the certificate for the asp.net worker process under which SharePoint is running?
In Windows 2008, you need to open the certificates mmc (Start -> Run -> MMC -> File -> Add/Remove SnapIn -> Certificates. Be sure to select "Computer Account" when prompted for how certificates will be managed. Locate the certificate, right-click on it, select "All Tasks". There should be an option in there that allows you to manage permissions to the certificate. You will need to grant read access to the account under which the application pool for SharePoint is running.
Note: if you are running Windows Server 2003, you will need to use winhttpcertcfg.exe to configure certificate permissions.
Try this:
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
Before you make any calls.
A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.
When I setup IIS6 to develop projects locally I have to enable "Integrated Windows Authentication" under directory security in order for my CSS & Images to show up. (Note: I have double checked that network service has rights to all directories in my web application)
However this often causes my browser to prompt me for windows login username and password when I am running the application.
Is there anyway to get around entering a windows login password all the time ?
(I am using windows xp pro 64bit)
Maybe it is some problem with the kerberos authentication to your web site. Just disable it on your site. from the c:\Inetpub\AdminScripts directory run this command.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Or change the authentication to anonymous. And make sure that the user in the directory security tab (IUSR_computername) has access to said directories. It is not the application pool user who access files and other resources.
Well it certainly is not as it's supposed to be!
You say you've double checked that Network Service has access to the directories. But with anonymous access, the account that needs access is the IUSR_[machinename] account. The account is specified under the Directory Security tab.
If all else fails, for local development you might as well grant everyone access to the directories.