Issue with database connection from sharepoint workflow with integrated security options - sharepoint

Good morning everyone,
I'm running into an issue using a SharePoint workflow project (C#,
VS 2008) and connecting to a database. Here is my database connection
string:
Data Source=DBSERVER;Initial Catalog=DBNAME;Integrated Security=True;
When I attempt to run the following code I get the following error ...
SqlConnection dbEngine = new SqlConnection(Constants.DBCONNECTION_STRING);
dbEngine.Open();
"Login failed for user 'DOMAIN\MACHINE_NAME$'"
What I need it to do is pass through the logged in user's credentials.
I've got impersonation turned on but it doesn't seem to be passing
through. Any suggestions would be very much appreciated.
Thank you in advance for any advice,
Scott Vercuski

Any DB access should run as a Windows Service account for security and connection pooling reasons.
Regarding the Workflow Security Context, see:
SharePoint, Workflows and Security
http://cglessner.blogspot.com/2008/09/sharepoint-workflows-and-security.html
Declarative Workflows and User Context http://blogs.msdn.com/sharepointdesigner/archive/2008/09/28/declarative-workflows-and-user-context.aspx
Security and Application Development in SharePoint: First Steps
Workflow
http://www.microsoft.com/technet/community/columns/secmvp/sv0408.mspx#EACAC

Are the web front end and the SQL server on the same box ?
If not, you'll have to set up Kerberos to allow credentials propagation.

You cannot do that - the workflow does not run in the context of a user. Workflows are executed asynchronuously. Only (HTTP) WebPage-Requests run in the context of the user (if you turn on impersonation). You cannot flow the impersonation to the workflow. To restore impersonation in the workflow (which you should not do) would require username AND password OR protocol transition (process would need to run under system then).
Additionally, your application has a serious design issue if you try to access the db from an impersonated user context. That messes up connection pooling and will seriously hurt performance. That is generally a no-go.
This is not a kerberos issue. The process tries to access the db as the machine account, which tells you the process is running as either network service or (win 2008 and later) system.

Related

IBM Lotus java XPage rest service - does it require signing for each user?

I have made a Java ExtLib XPage custom REST service (CustomServiceBean) database basing on this solution: https://setza-projects.atlassian.net/wiki/spaces/RS/pages/363593730/IBM+Domino
I modified it though to use NotesCalendar class to create, update and delete events & resource reservations (so everything in fact is processed by the calendar, I'm only using raw documents for reading $Rooms in names.nsf and $Reservations in the reservations database). Everything works fine so far, it uses current session to open the calendar. I have some concerns regarding the permissions though.
What I want (and need):
Ability to create calendar events & reservations as SPECIFIC users, I don't want just one "main" user that will create everything. I want each IBM Lotus user to be able to login with their credentials and create or update their calendar events.
This database with XPage will be deployed on our client's servers, so I don't want to require some special configuring for each user in order to be able to access my REST service.
I set up a new local installation of Lotus Server and created a new application using my XPage database as template, and I couldn't access the API neither with admin account or other accounts:
HTTP JVM: CLFAD0229E: Security exception occurred servicing request for: /db.nsf/services.xsp/api - HTTP Code: 403. For more detailed information, please consult error-log-0.xml
As soon as I added my admin account to Server configuration -> Security -> Sign or run unrestricted methods and operations, it started working again. Not only for the admin account, but also for other accounts that were just created with an internet password and weren't assigned any specific roles or permissions. I didn't even sign the database.
So my question is, is this enough in order to get it working on client's production server? It kind of makes no sense to me, but it worked on my local server so I'm not sure, I'm new to IBM Lotus and I'm just doing an integration REST service.
If not, how could I do it, so I wouldn't really need to put the end client (Lotus server owner) into the hassle of configuring each user, while still being able to access the API as any Lotus user (providing the username and password)? I can either log-in as each indepentend user, or perform some impersonation with a "main" privileged account (create entries in someone else's calendar as him), although I think there is no way to do it in Java, because .getCalendar is a method of the Session class, I tried using createSession(), but I wasn't able to.
Every notes application needs to be signed by an administrator with an ID known to the customers environment. The Id which is used to sign the db must have the appropriate rights, through the security tab in the server document. If the app is not signed properly, the app won't run. Once the app is signed, it runs in the authorized users session with the users rights.

SQL Server Login Successful When It Shouldn't Be

Earlier today I restored a database from our DEV environment onto our TEST environment. After restoring, I removed all of the logins (both NT and SQL) from the database. Much to my dismay, one of the users from the database in the DEV environment is able to get into the TEST database. I have confirmed this through both looking at his screen confirming his connection and using Profiler and watching his logins.
He cannot get to any other databases on TEST which is expected.
Although it shouldn't matter, DEV is 2008R2 and TEST is 2012.
Has anyone ever seen anything like this before? Is it possible something I cannot see has "come over with the backup" and is still there?
There's a distinction between database users, and server logins. Restoring a database should have no impact on the login (username and password) that the individual used to connect to the server...
If you only removed users from the database that you restored, the individual may still have permission to the database because of the access granted to their login (such as sysadmin).
Check what logins exist at the server level, instead of at the database level. Also watch out for the BUILTIN\Administrator role at the server level, which may be granting the individual access because he is an administrator at the windows server level.

Sharepoint Webpart

I have created a webpart which works fantastic on my Virtual Machine where I have developed it.
But When I try to run the same webpart on my physical Machine, I cannot open the SQL Connection as the SQL Server is Seperate box on the network.
My Physical, Virtual and SQL Box are on the Same network but for some reason, It doesn't work on my Physical Machine,
It Come up with the following Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
What causes this Issue?
You are using Intgrated Security, which means the current User is used for authentication against the database service. On the production server the webpart code is executed, using the anonymous user. And (of course) this user has no right to access any ressources other the web server files.
To avoid this behaviour use a dedicated account using SQL-Server security. See this example Connection string:
connectionString="Data Source=SERVERHOSTNAME;Initial Catalog=YOURDATABASE;Persist Security Info=True;User ID=YOURUSER;Password=YOURPASSWORD";
Be sure to get a valid logon from your production database administrator for your database with appropriate rights (such as db_reader).
You specified User Id and Password and then set Trusted_Connection to True, so I guess that integrated authentication is used - remove the Trusted_Connection=True part.

programmatically access sharepoint lists using impersonation

I building a console app that runs under a normal user account to access sharepoint lists programmatically. In order to access Sharepoint objects the console application impersonates the user under the context of which the Sharepoint is running. The impersonation is successful but when I try to access any share point SPWeb objects the following error is given as follows
spWeb.ID = 'spWeb.ID' threw an exception of type 'System.Data.SqlClient.SqlException'
base {System.Data.Common.DbException} = {"Cannot open database \"WSS_Content_92\" requested by the login. The login failed.\r\nLogin failed for user 'DOM\USER'."}
Doesnt the imepersonation should have allowed to access to the underlying database and also do i need to explicitly grant access to the current user to give access to sharepoint lists etc.
Thanks in advance
In a console or windows app when accessing the object model - when you are impersonating the user then the database connection will be made under the users account credentials - so in effect you will have to give each of your users fairly high level permissions to access the database (or better make them a member of a group that has these permissions).
http://technet.microsoft.com/en-us/library/cc721638(office.12).aspx
This is different to the web app where the account used is the AppDomain account of the IIS site.
However - this is a very non-standard setup and is fraught with security risks - do you really want to give your users permission to access that database directly?
Instead can I suggest that you look again at your design - what are you trying to achieve?
Running the console application in the context of the same user as the application pool did the trick. So the solution would be to use the runas command.

Connecting to a Database with WinAuth

In response to a question I asked about a week ago I changed our database engine to only accept Windows Authentication instead of SQL Authentication. Because our code runs in a different user context then that of the database connection we need to specify the username and password information in order for us to connect to the database. How do we do this using a ConnectionString? Remember, we are not using SQL Authentication anymore.
Thanks,
On your SQL Server instance, you need to add the domain group under the Security node (the one in the main server group, not in the individual databases). Under that node, the end result would be an item that resembles
<Your Domain>\Domain Users
Then in your application (Windows or Web) connection strings you want to set integrated security to be TRUE, and elsewhere, you need to set Impersonation to also be True. I am being vague here because the methods vary by application type.
Hopefully that sets you on the correct path.
Since you are using only Windows authentication, you can't in the connection string. The calling process will need to impersonate a windows principle (user) with the relevant access permissions.

Resources