Windows service permissions - security

I have a NServiceBus 3.0 publisher which runs under a domain service account. The publisher has no external dependencies and locally the only dependencies are the input queue and ravendb.
I have granted the service account full control over the input queue.
When I add the service account into the local admin group the service starts fine. If I remove the service account from local admins I am getting an error in the system log on start up:
The BlahBlahBlah service failed to start due to the following error:
Access is denied.
If I look in the security log the following 4 entries are written:
Entry 1:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
Entry 2:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: MYSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Entry 3:
Special privileges assigned to new logon.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Privileges: SeImpersonatePrivilege
Entry 4:
An account was logged off.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon Type: 5
All entries are recorded during the service startup.
My question is what explicit permissions do I need to set to start this service without having the service account in the local admins?

This is still unresolved so we had to grant local admins permissions to our service account. Luckily this was just on our integration environment and we didn't encounter this issue in production.

Related

Access ADLS2 from PowerBI service with Guest user credentials

I've tried to give access to an Active Directory external user (with Guest type). ADLS2 enables to use of such users for RBAC or ACL tables.
But when I tried to access ADLS2 as a guest user from the Power BI service I've got an error:
"The credentials provided for the AzureDataLakeStorage source are invalid.":
Failed to update data source credentials: The credentials provided for the AzureDataLakeStorage source are invalid. (Source at https://hasodl2westeurope.dfs.core.windows.net/mycontainer/samplefolder.)
Hide details
Activity ID: 269cbc1b-c50a-4078-a408-6f64246d0a19
Request ID: caabe243-c75a-5507-1610-88cc41b19ae6
Status code: 400
Time: Thu Jan 09 2020 12:27:37 GMT+0200 (Eastern European Standard Time)
Service version: 13.0.11747.315
Client version: 1912.2.031
Cluster URI: https://wabi-west-europe-b-primary-redirect.analysis.windows.net/
Is this behavior a bug or a feature?
Is a way to access ALDS2 as a Guest user?
ADLS only supports AD users from the same tenant, not guest users - source.

Cannot verify AD user unless refresh application pool

I have a .Net website using AD user credentials. The website is deployed on IIS 8. The users are frequently unable to login as the AD server cannot authenticate the user. Username/password are correct. However if I recycle the application pool then the users are able to login again. This happened almost every day, or sometimes even a couple of hours.
Dim result As EAuthenticationResult = EAuthenticationResult.NotAthorised
Try
For Each provider As MembershipProvider In Membership.Providers
If provider.ValidateUser(userName, password) Then
result = EAuthenticationResult.OK
Exit For
End If
Next
'result = EAuthenticationResult.OK ' REMOVE --BRIJESH(Bypass authentication)
If result <> EAuthenticationResult.OK Then
ModelState.AddModelError("_FORM", "The username or password provided is incorrect.")
End If
Catch ex As Exception
ModelState.AddModelError("_FORM", "Failed authenticate the user against AD.")
result = EAuthenticationResult.Failed
End Try
Return result
The server is low-balanced and currently the issue is occuring on one of the server. It returns with "Failed authenticate the user against AD." but I am not able to see the details. On the application pool log following error keep occuring on the server with issue happening. Not sure if it is related.
> Event code: 4005 Event message: Forms authentication failed for the
> request. Reason: The ticket supplied has expired. Event time:
> 20/05/2019 9:15:23 AM Event time (UTC): 19/05/2019 11:15:23 PM Event
> ID: 14857b08bdfe4bf996c34404b09c936b Event sequence: 523 Event
> occurrence: 25 Event detail code: 50202 Application information:
> Application domain:
> /LM/W3SVC/1/ROOT/StudentSupportServices-1-132027582820585785 Trust
> level: Full Application Virtual Path: /StudentSupportServices
> Application Path:
> D:\Inetpub\legacyprivate\eduweb.StudentSupportServices\wwwroot\
> Machine name: PRWWWFN03 Process information: Process ID: 6704
> Process name: w3wp.exe Account name: ***** Request information:
> Request URL: **** Request path: *** User host address: ***** User:
> Is authenticated: False Authentication Type: Thread account name:
> **** Name to authenticate: Custom event details:

upgrading from hyperledger composer v0.16 to v0.20.2

I am upgrading my tutorial from composer v0.16 to composer v0.20.2 Most of the upgrade has gone smoothly, however I'm running into an authentication problem that I can't get around. I'm going through a step-wise process to create and activate a user. In v0.16, I did the following:
ADD a new member to a registry
ISSUE identity for the new member
CREATE and IMPORT a card for the new member
PING the business network using the new member ID
The last step 'activated' the member, so that they could do productive work in the network. In v0.20, the first 3 steps still work flawlessly, however the PING step now returns the following error:
transaction returned with failure: AccessException:
Participant 'org.acme.Z2BTestNetwork.Buyer#rdd#xyz.com' does not have 'READ' access to resource
'org.hyperledger.composer.system.Network#zerotoblockchain-network#0.1.5'
I've simplified my permissions.acl file down to just the following 3 statements:
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "org.acme.Z2BTestNetwork.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
I can further simplify the first rule to be
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "ANY"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
But it still fails with the same error message.
composer card list for the new card returns:
userName: rdd-xyz.com
description:
businessNetworkName: zerotoblockchain-network
identityId: 6c6eab0d11d26ccfc4a8164dbe971814d2120802e84d1b3b98b16ceb2cb80334
roles: none
connectionProfile:
name: hlfv1
x-type: hlfv1
credentials: Credentials set
composer network ping for the new card returns the same error as the nodejs code.
How do I determine the root cause of this error and, more importantly, how do I resolve this? Happy to add code segments for each step if that will help.

How to export Azure Database using Active Directory authentication and guest account

I have Azure Subscription with Default Directory with my company's account (myname#mycompany.com) as a guest.
I login to azure portal with this my company's account.
In the SQL Server, I have set Active Directory admin to an AAD group and I'm member of the group.
When I click Export (database) in Azure Portal, I select Active Directory authentication and type my username/password:
However I'm getting:
Failed to export the database: MyDatabase. ErrorCode: 400
ErrorMessage: There was an error that occurred during this operation :
'Error
encountered during the service operation. ; Exception
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unable to
authenticate request; Inner exception
System.Data.SqlClient.SqlException:Failed to authenticate the user
username#mycompany.com in Active Directory
(Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003;
state 10; MSIS7068: Access denied.; '
Failed to authenticate the user username#mycompany.com in Active Directory (Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003; state 10; MSIS7068: Access denied
According to the error information that it indicates that the user password is not correct.
Based on my test, it works correctly if you set the Active Directory admin to an AAD group and if you are a member of the group.

Active Directory(AD) Authentication in Azure Sql not working

I am trying to get Azure AD Authentication working against my Azure SQL Database.
I created a PaaS database and it's associated PaaS Sql Server.
I assigned MY Azure AD account as "Active Directory admin" of the "PaaS Sql Server".
Next, I logged in to SSMS using MY domain account to create the user:
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
GO
sp_addrolemember db_datareader, [xxx#yyy.com];
GO
sp_addrolemember
db_datawriter, [xxx#yyy.com];
GO
When I attempt to login with the xxxxx#yyy.com account , I get back:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (.Net SqlClient Data Provider)
Server Name: zzzzz.database.windows.net
Error Number: 18456
Severity: 14
State: 1
Line Number: 65536
What am I missing ?
Weird observation, if I intentionally use the wrong password I get back this error:
AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password, that tells the AD is somehow working, but something is broken in the overall process.
Another weird observation:
If I add a valid AD account, it succeeds
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
If I generate a bad AD account
CREATE USER [xxxABC#yyy.com] FROM EXTERNAL PROVIDER;
I get back:
Principal 'xxxABC#yyy.com' could not be found or this principal type is not supported.
From a "simialr post"
The Anonymous Logon error occurs when you haven't specified the database you want to connect to. Simply select "options" on the SSMS login screen and type in the database name you want to connect to. This is because your user is a contained user on the database it was created in. It does not exist on Master. – Greg Grater Mar 7 '17 at 1:23
This fixed my issue -- hours wasted!!!
Note: for ODBC conenctions the user must also be created in master

Resources