what is the recommended approach for polling password changes only in Active Directory, get the updated password and update else where ?
I have looked into classes in System.DirectoryServices.Protocols namespace like 'DirectoryNotificationControl' class but seems like this would poll for any attribute and later on we need to query to see if attribute we are interested (password) has indeed changed.
Also how do we get password value from active directory ? It is possible using LSA although very complex..
The only "simple" way (and those are VERY big quotes around "simple") is to write up a Password Filter Dll that is hosted on the Domain Controller.
You can implement the PasswordChangeNotify interface and have your code update whatever external thing that needed to be notified of the password change.
However this must be done in native code, so no C# allowed.
I originally went down this road and ended up giving up on it and used a different method of tracking the changed passwords, however one thing I did discover along the way was an open source project called passwdhk that may be helpful for you.
What passwdhk does is it implements a Password Filter DLL for you, however all the filter does is launch another executable with the command line arguments that where passed in to the password change notify function ("post-change program" is forwarding the arguments from PasswordChangeNotify, "pre-change program" is forwarding the arguments from PasswordFilter). This allows you to still write your code that updates the other service in C#, it just takes the password in from the command line instead of intercepting the password itself.
As far as I know, by default the password (stored in an encrypted way) cant't be read in Active-Directory. You can change the policy to store it in a reversible way, but it's really not a good thing.
The only way I know, is to install a componant on each client machine. The component catch the password change and you can do what you want.
From NT to XP this component was called GINA (DLL). Begining Vista this companent should be written using Credential Provider API.
Related
I want to implement a simple way for a user to upload a save file (a really simple json file with no personal information) to their cloud account.
The main problem is that dropbox, google drive etc... don't work with simple username and password, they need OAuth 2, and a browser for log in. But it's not easy to implement that in a Unity game, and it require that I set up a secret API key connected to my account (with limited put and get possible without pay).
I want to be able to use the final user account to upload 1 single json file to the user account, and be able to download it from another device (that's the only reason why I want to be able to log in... without log in I can use something like htput, jsonblob or myjson... but if I want the user to be able to get their save in another device I would need that they copy a really long and not easy keyurl generated by those services).
I saw that with MegaApiClient it should be possible. I imported it into Unity as a native Plugin and I was able to use it in my code.
Problem is that I cannot Login because I get an error:
TlsException: Invalid certificate received from server
the code I use it the one in the example:
var client = new MegaApiClient();
client.Login("username#domain.com", "passw0rd");
There is a way to make it work? If not do you have any idea how to solve my problem?
In the end I decided to go with Dropbox. It's easier than I expected, but you will need to use the code flow with copy/paste (you cannot use the redirect_uri, at least I don't know how to redirect to the app on all platforms).
I don't know how to solve the mega problem.
EDIT. With Unity 2018.2 now MegaApi works.
EDIT. You can use the redirect_uri too, just redirect to 127.0.0.1 on android and localhost on pc.
I have been requested from my partner to use his API, and to use this API, I should encrypt all sent data to AES 256. He shared a .jks file with me, in addition to some parameters with values like (Alias, KEYSTORE_PASSWORD and KEY_PASSWORD), then he told me that the password which I should use for encryption is stored in that JKS file, and to open it, I should use the pre-shared parameters.
So, how can I reach that?
UPDATE ...
This is not a web service am trying to invoke, I just need to get the Password which is stored in the JKS file, so, I am not going to invoke an API or import a certificate into my client app. So, it doesn't matter if opening the app by C# or any other tool, i just need to get the password in order to use it later in encrypting some data.
I opened the given file by using KeyStore Explorer, then I imported the file into the app and providing it with all shared info like KeyStore_Password and Key_Password. Eventually, it opens.
I know that is away off C#, but all what I needed is to get the Password which is stored in that file, and this was my first time to deal with something like that.
But you cannot access "TrustedCertEntry". It is a restriction.
See: https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs
Whilst pair programming with database systems, sometimes we end up temporarily hardcoding credentials (typically of our own accounts), which leads to slight awkwardness with the partner trying to look away whenever the password is onscreen. Is there any simple way of using basic obfuscation (ie, rot13) to hardcode a password without other developers taking a quick look and seeing my password?
It doesn't need to be secure. It only needs to grease the social aspect. I don't want anything complex involving super secure encryption or reading passwords out of files etc. This has to be quick to implement (i.e. 10 seconds max) whilst coding on the fly. Ideally I want something like:
string password = string.rot13("zlcnffjbeq");
Does anything like this already exist?
To configure SQL Server for Windows integrated security
From the Windows Start menu, select Microsoft SQL Server, and then select Enterprise Manager.
Open the node for the server and expand the node for the database you want to give users permissions for.
Right-click the Users node and select New Database User.
In the Database User Properties dialog box, enter domain\username in the Login name box, and then click OK. Additionally, configure the SQL Server to allow all domain users to access the database.
From MSDN. Connection strings become Server=x;Initial Catalog=y;Integrated Security=true instead of Server=x;Initial Catalog=y;User=you;Pwd=yourpassword.
I would suggest to store your password in a config file. For source control, use a dummy one. Then after getting latest version of the config file on your PC, you can modify the config by adding your password.
You could use base64 and just keep the base64 version of your password somewhere handy for cut and paste, bearing in mind that your system admin will have a blue fit if they find out about this. Both the suggestions in comments (#Oli/#CodeCaster) are preferable to this, imo.
DPAPI is more work but arguably a balanced solution to your requirement, with some security.
The .NET Framework provides access to the data protection API (DPAPI),
which allows you to encrypt data using information from the current
user account or computer. When you use the DPAPI, you alleviate the
difficult problem of explicitly generating and storing a cryptographic
key.
Maybe you can store your password in a String variable like here
/* Variable that stores the password */ string pwd = "12345";
string password = string.rot13(pwd);
and tab it out of the visual range of the editor. This would be a proper solution to your problem.
Then you can use the string variable somewhere else in your code and no one can see your password unless he scrolls to the right
I need a little help with the C# example program of Google-Drive...
I used this so-called "tutorial"/"example":
https://developers.google.com/drive/examples/dotnet
And the code from here:
https://code.google.com/p/google-drive-sdk-samples/source/checkout
I uploaded my (only slightly modified) sourcecode here in case anybody doesn't have Mercurial (I didn't have Mercurial and no admin rights to install it either, and Mercurial is the only way to get the sourcecode...):
http://verzend.be/elt0k13enraw/DrEdit.rar.html
I always get
"Ressource cannot be found"
Requested URL: /oauth2callback
I don't find this astonishing, as no oauth2callback controller or handler is implemented...
I tried adding a Controller called oauth2callbackController and redirecting to another action in oauth2callbackController.Index, doing
return new RedirectResult("/about/about");
But that only creates a NULL-reference exception.
So i figured, maybe the wrong controller and redirected to
return new RedirectResult("/drive/Index");
But that only creates an infinite loop of redirect -> allow -> redirect - allow -> etc.
BTW, the config to change the API key + REDIRECT_URI is in
Models\ClientCredentials.cs
Note:
The problem aren't my modifications.
The sample also didn't work unmodified, with the exact same error.
All I did was removing EntityFramwork references, and throwing "Not implemented exception" when a method using entity was called.
Edit:
Additional information:
What I really wanted to do in the first place is to write a console service that exports my database, LZMA-compresses the exported content, encrypts that with OpenPGP, and uploads the database of my server to Google drive every day at 24:00 o'clock, without any user input.
I got export working without a problem, i got the LZMA compression working without a problem, I got the encryption with PGP working without a problem.
After the end of the working day (grrrr), when I was at home, I was even able to download the example-code with the mercurial installed on my Linux-machine at home, and bring it on the windows machine using SMB...
But now I can't get the sample for the Google-drive SDK working...
And moreover, what I really need is an example for a console service/daemon, not a web-application.
When I created the API key, I saw one could create a key for a service, but there is no example on how to write a Google-Drive service (console application), and no useful documentation as well (yea there is a reference, but it's only a reference, IntelliSense provides about the same)...
When configuring your app in the API Access tab of the APIs Console, you had to set the root (/) of your web server as the redirect URI and not /oauth2callback.
Assuming that your app is published at www.example.com, just go back to the APIs Console and set it to www.example.com instead of www.example.com/oauth2callback
I have a bit of a unique situation here. I'm making a web application that is going to have
the ability to login with different web applications credentials. For example you can login/register with my site or you can login/register with your YouTube account. I'm not using OpenID because I need to have access to YouTube's data in this case.
I'm using ASP.NET MVC 3 EF4 with custom Membership, role, profile providers.
The problem is user names can't be unique because someone with a YouTube user name could have the same user name as someone that registered with my site. So I got around with by specifying a user type in my user table. This is pretty much a composite key (user id and user type).
I have a custom authorize attribute that is checking for the role that the user is in but now I need to implement a custom IPrincipal because I need to pass a user type. Only problem is where do I store that? the session?
Originally I thought this is what the Application table was for, and I had momentary success with that but read there is threading issues, and I was getting session faults all over the place it wasn't that great :(
I'm wondering what the best way to do with is because I can't use the overridden methods in the providers because I have to add a UserType parameter to some of the methods, but then this breaks the functionality of the provider.
EDIT:
I basically need to have the ability to change the ApplicationName at runtime pro-grammatically. I tried doing this, the only problem was when I stopped my development server but left my browser open then ran my dev server again it wouldnt keep the application name.
EDIT:
I've changed my application to use OAuth, I never found a good solution.
I basically need to have the ability
to change the ApplicationName at
runtime pro-grammatically. I tried
doing this, the only problem was when
I stopped my development server but
left my browser open then ran my dev
server again it wouldnt keep the
application name.
If you need to change the ApplicationName, this means you need to select a provider at runtime.
The only way to do this is to NOT use the singleton "Membership" as it uses the provider defined in web.config.
Instead each time you need your provider use :
MembershipProvider userProvider = Membership.Providers[UserProviderName];
Just set UserProviderName the way you want. I would go with a custom global authorization or preAction filter which detect the provider from some cookie or other session variable and put the provider in the HttpContextBase.Items collection which lives for one and only one request.
The best answer to this problem is answered on stackoverflow here: Membership provider with different ApplicationName in area
Here's the code they used:
Membership.Providers["MyOtherProvider"].ValidateUser(username, pwd);
Ryan,
Hmmm... can you work-around the problem by prepending the issuing-authority (local or YouTube) to the username field itself... Example usernames: "LOCAL/corlettk", "YOUTUBE/corlettk"???
Ok, you'll need a custom Authenticator in order to split the complex-string, and flick-pass the login-request to appropriate underlying Authenticator... but once that's done, (I guess) you're all set to deal EASILY with the much bigger problem (from your perspective) of Authorisation.
I percieve that you're a smart guy... have you considered-and-dismissed this approach allready?
Cheers. Keith.
PS: Yes, I'm a hacker... but I have bad habit of hacking stuff up that WORKS... so they've given-up trying to educate me.