I have configured RabbitMQ but at the moment it is using simple username/password to connect to the queue. This isn't ideal as I'm having to store the password in the application config.
Ideally, I would like authentication to work like it does for an intranet application - using NTLM to implicitly pass my authentication to Rabbit.
I have enabled LDAP in the config which allows me to manage users in AD, but it still requires the password to be stored and sent.
Has anybody managed to get RabbitMQ authentication working with NTML (or Kerberos)?
Thanks
RabbitMQ does not support NTLM authentication at this time, as I noted in my response here on the rabbitmq-users mailing list.
Support could be added via a plugin, however.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
Related
There is an example in gRPC:
Channel channel = new Channel("127.0.0.1:30051", ChannelCredentials.Insecure);
it works. Now I would like to authenticate the user on server either using the login / password pair or using Windows trusted authentication.
The authentication documentation https://grpc.io/docs/guides/auth/ shows some examples:
either with some PEM certificate that has nothing to do with windows account
or with a "trusted" authentication, but not in the meaning that one Windows computer trusts to the other Windows. The meaning is that credentials are trusted with Google.
Is it possible to do Windows-trusted authentication between two Windows PCs using gRPC?
I believe client-side SSL is what you are looking for: https://grpc.io/docs/guides/auth/#using-client-side-ssltls
You want to authenticate both ends of the connection. This won't be a simple task, since you have to manage and update certificates in clusters.
If what you are looking for is Windows account specific integration, I don't think gRPC is providing one today. You may post a feature request to https://github.com/grpc/grpc/issues.
I have a c# .net wcf web service on a windows server with iis. I need to know if there is a way to tell the web service that it can accept request only from specific URL.
example:
ApplicationA call ApplicationAwebService = should work
ApplicationB call ApplicationAwebService = should be denied
Right now, they are all on the same server, but I need a solution that works even if they are on a different server (3tier applications).
thanks
If you are using WCF then its possible to use mutual authentication between services and clients. Mutual authentication achieves not only security for the server to accept connections from legit clients but provides the ability for the clients to verify that they are talking to a legit server.
Mutual authentication can be achieved through Message security (Encrypting the data sent between the client and server and vice versa) by using certificates, kerberos (Windows auth), tokens and a username/password configuration.
Mutual authentication can also be achieved in WCF through rolebased authentication, identities, and resource based authentication
Reference from msdn: https://msdn.microsoft.com/en-us/library/ff647503.aspx
I have created an ASP.NET website that has to access Active Directory on another server and change users passwords. The problem is that I need to authenticate with existing AD account and I cannot send AD user's password in plaintext when communicating with the Active Directory server. How do I communicate with AD server from ASP.NET website, so that connection is secure? My AD server supports LDAP protocol, but I do not know how to enforce communication with LDAP via a secure channel.
ASP.NET Website --------------LDAP/another protocol (secure)------------> AD Server
Fairly simple, you need to do two things :
Configure your Active Directory instance to accept connections over LDAPS, or port 636. You'll need a certificate (it can be self-signed) to set that up.
Update your LDAP authorization code to use this the new connection. This shouldn't be anything more than changing the server to "ldaps://{{IP OR DNS}}", and ensuring you're setting SessionOptions.SecureSocketLayer = true;
If you want to verify that it's working properly, Wireshark the traffic leaving your ASP.Net site that's going over port 636, and you should notice it's now heavily encrypted, and impossible to discern anything meaningful from.
I've done a ton of this stuff over the years, so I've had a few other questions surrounding this that should also help you out :
Set callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
(This contains a full implementation of LDAPS)
Custom Multi-factor Active Directory Authentication
(This is a much more simple example, but would work perfectly fine for your purposes)
We have a Windows application which is communicating fine via the WebHDFS Client (In the Incubator phase) http:/ /hadoopsdk.codeplex.com/wikipage?title=WebHDFS%20Client&referringTitle=Home
to a Cloudera Hadoop installation. The next phase is to establish Kerberos authentication via http. I am having difficulty finding much on this topic between a Windows client and a Linux/Apache server.
Most of the examples I've seen are using cURL --negotiate as the mechanism :
http://hadoop.apache.org/docs/r1.0.4/webhdfs.html#Delegation+Token+Operations
Everything else I've found for .Net has been really low level
http://msdn.microsoft.com/en-us/library/ms995331.aspx
Is there anything out there that I can use or am I going to have to write custom code?
I found the solution to my problem being that I misunderstood how Kerebros SNEGO was implemented.
For those of you that are in the same predicament I hope this helps..The authentication is done between the client (Windows machine) and the kdc (Linux) at the time of the users logon of the client (for one configuration). After the ticket has been issued WebHDFS communication can be established in a more secure manner. This quote is from the Cloudera team (which were extremely helpful BTW).
"If the Cloudera cluster is kerberized then WebHDFS on the server side will accept SPNEGO Kerberos authentication. If the cluster is kerberized directly in AD realm and if the end user has logged into the same AD domain, that should be enough if the Microsoft clients supports it. Otherwise they either have to authenticate to the same kerberos realm with a MIT kerberos client and kinit or one way trust should be setup between the cluster kerberos realm and the AD realm where the endusers are authenticating."
I have a user account on a clients Salesforce. These credentials are used on our Web service to connect and upload data to that clients Salesforce account.
However I have found that only my PC will allow the logging in to the API, this is not ideal as I need to have multiple users logged in using the same account and on different PC's in our organisation.
How can I fix this issue?
a review of their policy suggests that what you want to do is prohibited, however it seems that it should be possible. There is a way to lock the account to the ip that created and perhaps that is being used as a default. please have a look here and see if it applies to your situation. https://help.salesforce.com/apex/htviewhelpdoc?id=admin_sessions.htm&language=en_US
As you have found, you need to append the Security Token to the password to allow API logins from IP addresses that aren't trusted. This is a fairly standard way of calling the API. Note that changing the password will also change the Security Token.
The alternative to using the security token is to add the IP addresses of the Server making the API calls to the Trusted IP ranges.
Setup > Administration Setup > Security Controls > Network Access
The problem was with my URL endpoints, the web server we are using does various unexpected things that I was not aware of for security purposes.
I have since devised a workaround by dumping the data into a table and then using a console app to poll this table and transmit the data to salesforce.