I am currently attempting to create a user in an ASP.NET MVC application using the System.Management.Automation.Runspaces.Command with a remote Runspace using Kerberos authentication with a service account. Currently when I attempt to execute the command on the development server the command executes successfully, however when attempting to execute the command on the live web server I receive the following message
“Connecting to remote server echange-server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting”
On both the live and debug server I can enter a remote PowerShell session with Enter-PSSession. I feel as if this is a Kerberos hop issue on the live server. But I’m unsure of what SPNs would need to be configured for Kerberos to work properly for powershell. Thank you.
I think that remote powershell isn´t enabled for the taskuser you are using, which will explain the "Access is denied.". Try to enable that via (as written in the MS documentation here) via:
set-user <your user account> -RemotePowerShellEnabled $True
Another useful source to troubleshoot your issue is the MS documentation here.
Related
I am at the end of my rope and need some help. This will probably turn out to be something simple but I have been debugging the code and reading the same web pages for so long, I probably missed it.
I am working on setting up an environment so we can run .NET Core APIs from a Linux server. These will hit an SQL Server running on Windows for data and use Windows AD for Integrated Security. The outfacing server is Apache with .Net running reverse proxy using the standard Kestrel. So I have:
client browser -> Apache(Linux) -> Kestrel(Linux) -> SQL Server (Windows Server 2016)
Server FDQNs:
Linux - cats6-87.it.my.company
Windows - cats7-47.ad.my.company
I will be referring to these by short names from here on, but please note that all of the actual settings use the FDQN. It should also be noted that these two servers are NOT in the same domain; the Win server is part of the AD while the Linux server is not.
I am able to use Kerberos to authenticate users in Apache. This was done via the "standard" way by creating a special AD account (catadn001), setting an SPN call HTTP/cats6-87.it.my.company, creating a keytab, and setting up apache to use the account and tab. I am also able to pass this login to my .Net application and the data shown in HttpContext.User indicates the user is authenticated.
I am trying to double-hop so the DB can be hit by the authenticated user. I set up the environment according to every piece of documentation I could find:
SPNs of MSSQLSvc/cats7-47:1433, MSSQLSvc/cat7-47:CATS747
catadn001 is set to be able to delegate Kerberos for MSSQLSvc
The SQL Server log indicates the SPNs are set up correctly and running SELECT distinct auth_scheme FROM sys.dm_exec_connections after logging in using Windows Authentication in SSMS from a Windows 10 machine returns KERBEROS.
Back to Linux.
Using kinit I am able to retrieve a ticket for HTTP/cats6-87. klist confirms this.
In my .Net application, I am using Microsoft.Data.SQLClient to try to open an Integrated Security connection in an API endpoint:
new SqlConnection("Data Source=cats7-47;Integrated Security=True")
As I am experimenting here, I run my test application as myself. Before I had even tried to hit my endpoint though, I had a couple of questions:
How would .Net know to use HTTP/cats6-87?
How would the credentials passed in from Apache be passed along to SQL Server?
The SqlClient documentation does not mention it. In any case, from the few pages I found about Integrated Security from Linux to Windows and SQLClient, the above connection string should be enough. So I tried it.
No joy.
The error message presented was Login failed for user HTTP/cats6-87. I checked the SQL Server log and confirmed this. My application is trying to login with the Kerberos delegation account. I tried to search for this and every single page came back about error messages for anonymous login indicating problems with SQL Server and Kerberos. But I had already confirmed that SQL Server was using Kerberos correctly.
So I tried stepping through the SqlClient code by using the github repo of it. I learned a lot, particularly about how the user name is derived on Linux versus Windows (WindowsIdentity is not available) and about how annoying OOP truly is, but nothing to solve the problem and I still don't know the answer to my two questions above.
Can someone help? How do I get my linux application to use the Kerberos delegation to log into SQL Server in Windows?
I wrote Windows Service in C# to get data from Excel and Access tables. Everything works fine until I try to get data from remote database through VPN connection:
ERROR [HY000] [Microsoft][ODBC Microsoft Access Driver] The Microsoft Access database
engine cannot open or write to the file '(unknown)'. It is already opened exclusively
by another user, or you need permission to view and write its data.
Driver is ODBC.
The answer is in the error message. It's not very helpful but is completely accurate.
It's likely that your service is running as a user that does not have the needed permissions to the file, or that the ODBC connection is supplying the credentials and they are wrong or missing.
You can debug your service by opening the project in Visual Studio and selecting Debug->Attach To Process and selecting your service. You can then step through it and see exactly what is failing and what login credentials are being used when it happens.
Note that the default credentials for Windows Services do not have rights to anything on other machines, so that would be a good place to start.
If you can open it across the VPN from MS Access, but not your service, that narrows it down quite a bit.
I created Windows Server 2012 R2 machine in Azure and I try to create simple c# application to read logs from event logs.
I am using the EventLog, EventLogQuery, EventLogReader classes to read the logs.
I test the code in a private virtual machine with Windows Server 2012 (in my PC) and its worked great, I was able to read the logs locally and from remote.
When I run my code in Azure, I get EventLogException with the message:
"The RPC server is unavailable"
I try to enable some firewall rules & start some services but it didn't help.
Do anyone know the issue ? Do you have any other solution to read the event logs ?
I see some people that read the logs with PowerShell but I prefer to do it with pure c#
Thanks.
I'm trying to run an WQL query(SELECT * FROM MSBTS_SendPort) on an BizTalk host but when I run this query in my console application on an remote primary BizTalkHost I get an COMException who says "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
If I run the same console application on the primary BizTalkHost then everything works.
I'm issueing an double-hop authentication issue, so therefore what I want will never work. See this link for more information. My workaround for this issue is to create an wcf-webservice on an biztalk host and let the wcf service handle the WMI query.
If you want to use powershell for remote biztalk administration look at this link.
Looks you execute the query on the remote machine as a anonymous user - you have to be in the user context of a user that is authorized to read from the BizTalk Management database.
You could start with trying to run the console application on the remote machine using "run as" and enter the credentials that you probably login as on the BizTalk machine.
If that works you should start looking to impersonation a different user in you code.
We are using the ServiceController object to query if our Service is running or not. Our web application that is performing the query is using Impersonation for security/login.
System.ServiceProcess.ServiceController sc = new System.ServiceProcess.ServiceController("myService");
return sc.Status
Using an Administrator account, the query is successful. Using a limited account (non-administrator), the query is failing with a message of "Service myService was not found on computer '.'"... BUT it is only failing in Windows Server 2003 and not in Windows XP.
I've Googled it and checked in MSDN. I didn't find anything related to the usage of ServiceController in Windows Server 2003.
Any ideas?
EDIT: If there is a way to query the service status without using the ServiceController that doesn't involve "security" privileges, that might work for us. We just need to get the status of the service.
UPDATE:
I created a simple console application that will print the status of the service. I used the "runas" command to run the application using both the Administrator and Non-Administrator account. It both worked in Windows Server 2003... Which means that this is an issue of the privilege not being properly passed to the ServiceController call in the web application? IIS security stuff perhaps?
Thanks!
I thought that web app-s are supposed to be run in a sandbox. Allowing access to the service running on local computer isn't really what you should do, because of security issues.
Maybe you could tell us what you want to do and there is another solution?