I am not able to find any good documentation on .NET SDK for CyberArk.
I am trying to integrate CyberArk password management system to get password for an Outlook account using the below code
PSDKPasswordRequest passReq = new PSDKPasswordRequest();
PSDKPassword password = null;
// What is the purpose of CredFile??
passReq.CredFilePath = "F:\\CredFiles\\AppUser.cred";
passReq.Safe = "SAFE_NAME";
passReq.Folder = "root";
passReq.Object = userName;
passReq.Reason = "Get some stuff done.";
// Sending the request to get the password
password = CyberArk.AIM.NetPasswordSDK.PasswordSDK.GetPassword(passReq);
However I am not able to connect and getting the following error
"PDKTC006E Failed to connect to provider (Reason=[connect command failed])"\
As I understand it, the API (NetPasswordSDK) is actually a caching service that sits between you and the CyberArk appliance. So you have to configure the service correctly during install as it handles the connection to the CyberArk appliance.
Instructions:
Write down a CyberArk Administrator account's username/password
Write down the CyberArk IP address. This is NOT the web access IP address (PVWA). It's the IP address of the appliance.
On your dev machine, run the CyberArk SDK installer and enter in the IP address and Admin username/password from steps #1 and #2
Assuming the installer completes successfully, it is going to create a user called "Prov_MACHINENAME." (MACHINENAME will equal your NetBIOS hostname) on the CyberArk appliance.
On your dev machine, open C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Vault\AppProviderUser.cred and write down the name generated during the install.
Log in to the CyberArk appliance as an administrator
Create a Safe named MySafe
Add the Administrator account from step #1 as a member to MySafe
Add the Prov_MACHINENAME account from step #5 as a member to MySafe
Create an Application named MyApp
Add the Application as a member MySafe
Create an Account named MyAccount and assign it to MySafe
You can now use the following code to connect:
PSDKPasswordRequest objPasswordRequest;
PSDKPassword objPassword;
objPasswordRequest = new PSDKPasswordRequest();
objPasswordRequest.AppID = "MyApp";
objPasswordRequest.Safe = "MySafe";
objPasswordRequest.Object = "MyAccount";
objPassword = PasswordSDK.GetPassword(objPasswordRequest);
password = objPassword.Content;
username = objPassword.UserName;
Related
I have the following function for connecting to a remote client machine and running an executable on it.
I copied it from a response on this site, but don't have the link anymore, so I'm not sure who to give credit to.
public static void ConnectToRemoteClient(string client_machine, string user, string password, string target_exe )
{
var connection = new ConnectionOptions();
// The '.\' is for a local user on the remote machine
// or 'mydomain\user' for a domain user
connection.Username = user;
connection.Password = password;
object[] theProcessToRun = { target_exe };
var wmiScope = new ManagementScope($#"\\{client_machine}\root\cimv2", connection);
wmiScope.Connect();
using (var managementClass = new ManagementClass(wmiScope, new ManagementPath("Win32_Process"), new ObjectGetOptions()))
{
managementClass.InvokeMethod("Create", theProcessToRun );
}
}
It is called using the following syntax:
string exe = string.Format("taskkill.exe {0} {1}", #"/F", #"/PID 8704");
ConnectToRemoteClient("ClientMachine", #"Domain\Username", #"password", exe);
It works just fine for executables that exist on the remote client machine.
However, I want to call an executable from a server, and run it on that remote client machine.
Not sure how best to approach this. I tried feeding it the following:
ConnectToRemoteClient("ClientMachine", #"Domain\User", #"password", #"\\ServerName\MyDir\Myfile.exe");
But it never initiated the executable on the machine. No error messages.
The reason I want to do this, is to save me from having to copy the large executable and supporting files to each client, but rather just run it from the server depot on each remote client.
Do I have to call a CMD window and feed it the \\ServerName\MyDir\Myfile.exe in order to get it to work properly? or is there a way I can make this work?
You are connecting to the remote machine using the passed credentials, but that only establishes your rights to open WMI. The command you then pass to WMI to execute is not running as the credentials you pass in, but under the LocalSystem account credentials.
LocalSystem does not have access to the network share.
To do this you need to remotely execute PSEXEC (https://ss64.com/nt/psexec.html) which allows you to pass the parameters to launch the application as. PSEXEC runs as LocalSystem but allows you to pass credentials to use when it launches your designated application. The launched program will then impersonate the user you pass in, and will have access to the network share.
We are making use of ADLDS for our user management and authentication. We can successfully query the instance without problems. However, trying to perform an operation such as SetPassword will fail or even trying to create a new user if a password is not set, it fails. I can successfully update a user as long as its not password I'm trying to update. I've been reading a lot of different articles relating to this but not finding a resolution. Posting to see if I can get some fresh perspective on this issue, thanks for any input.
EXAMPLE
ContextType ctxType = ContextType.ApplicationDirectory;
string server = "myadldsserver.com";
string usersCN = "CN=Users,..."; // container where users reside
ContextOptions ctxOpts = ContextOptions.SimpleBind;
string uname = "myuser";
string pswrd = "mypass";
using(var ctx = new PrincipalContext(ctxType, server, usersCN, ctxOpts, uname, pswrd)
using(var newUser = new UserPrincipal(ctx)) {
newUser.Name = "newusername";
newUser.Enabled = true;
newUser.UserPrincipalName = "newusername";
newUser.Save();
newUser.SetPassword("newuserpassword");
}
ERROR 1
The first problem I encounter if I try to create a new UserPrincipal and call Save without having set the password like in Example above I get the exception A constraint violation occurred. with an InnerException extend message of 0000052D: AtrErr: DSID-033807D7, #1:0: 0000052D: DSID-033807D7, problem 1005 (CONSTRAINT_ATT_TYPE), data 2246, Att 9005a (unicodePwd)
Because of this error I tried moving the SetPassword before calling Save along with other approaches I found online such as getting the DirectoryEntry from the UserPrincipal and trying to call SetPassword but got a different error.
ERROR 2
Calling SetPassword before calling UserPrincipal.Save, when save is called, results in the error The directory property cannot be found in the cache.
Note that the same error will occur if I trying calling ResetPassword or getting a DirectoryEntry and calling Invoke("SetPassword"... as well
ERROR 3
From my research most seem to indicate this could have to do with needing to access AD LDS using a Secure connection. So, I changed my server to include the port of 636 string server = "myadldsserver.com:636" and I changed the ContextOptions to be ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer.
Making these changes when the PrincipalContext is being constructed I get the following exception The server could not be contacted. with an inner exception of The LDAP server is unavailable., HResult is -2146233087
JAVA and LDP
To add some background to this, we do have similar code written in an older Java application. We are trying to port some of this logic over to .NET side in C#. The code in Java makes use of a Java keystore that contains the certificate that was generated on the AD LDS server. The Java application of course has no issues using the SSL port. We know the server seems to be configured correctly, it's just an issue of how to access it from .NET side.
Is there an equivalent on the .NET side such as the keystore in Java? We know that an SSL connection can be made to server. We have verified this using LDP as well.
GOALS
Be able to create a new user and set their password during creation
Be able to ResetPassword or ChangePassword for a user
Connect to our AD LDS instance from .NET securely
Have you tried using Microsoft Management Console to import the certificate?
Two ways to install the certificate
Either
Open a cmd.exe console and type "MMC"
File > Add/Remove Snap-In...
Select Certificates, click Add
Choose Computer Account and Local Computer when prompted, then OK...
Certificates should now be showing under Console Root
Certificates > Trusted Root Certification Authorities > Certificates > (right-click) > All Tasks > Import Certificate...
Find the certificate you want to import, click Next and choose defaults (Trusted Root Certification Authorities should already be
selected)
Click Next, Finish
(or)
Simply double-click on the .cer file for the certificate in Windows
Explorer, click Install Certificate... > Next > select the option to
"Place all certificates in following store" > Browse... > Select
Trusted Root Certification Authorities. Continue with next until done.
At this point your certificate is installed, and you should be able to communicate securely with your ADLDS server.
I got this error message while connecting my app with the database at my website.
If i try using XAMPP using my computer, its work well.
FYI, the username and password is same as username and password that i created using XAMPP.
and also grant the privileges.
this is the connection string. for example the server is 174.125.80.140, the database name is myDB, the Uid is alfred, and the password is Alfred111.
MySqlConnection conn = new MySqlConnection("Server=174.125.80.140; Database=myDB;Uid=alfred;Pwd=Alfred111;");
I'm using MySQL client version: 4.1.22.
I'm still can't access the database. is there any solution??
If you are using MySQL workbench,
1) Start the workbench
2) click on the option "Users and Privileges" under SECURITY
3) click on add user (for the specific user), this is more secure because it lets you handle who has access over your database and lets you control access.
however if you want to grant access a large number of users for an application like c# application, then hard-code the username and password in the application, from the user privileges that you have set above.
Hope this helps (^_^)
Yes, you may have supplied the user and password correctly but have you configure the server (new server) to accept Uid=alfred;Pwd=Alfred111;?
Adding User in MySQL Server
If your app is on a different host that the MySQL server then you most likely need to add a new user granting permission for that host. Your alfred user is probably allowed by localhost and nothing else. Try CREATE USER 'altred#'%' identified by 'password'; and then grant that user privileges on myDB.
You can replace % with a specific IP address or hostname as well, % allows the connection from any host which is not necessarily safe.
You can try the following query to see the allowed user/host combos:
SELECT `User`, `Host` FROM `mysql.user`
Hope that helps.
I'm using EWS to grab file attachments from emails in an inbox, and need to put those files (if they meet certain criteria) onto a network directory path that requires an active directory user/pass that is not the same as what the machine running the service is using.
There's probably multiple ways to attack this. Without having to set that directory path to allow the user/pass that is running the windows service to have rights to read/write is there a way in code that I can set the user/pass before I try and place the files in that path?
In the installer setup of the windows service I've tried the following:
this.serviceProcessInstaller1.Account = System.ServiceProcess.ServiceAccount.User;
this.serviceProcessInstaller1.Password = "password";
this.serviceProcessInstaller1.Username = #"\\serverName\user";
when I try and install I get an error about mapping the user pass, so I tried this:
this.serviceProcessInstaller1.Account = System.ServiceProcess.ServiceAccount.NetworkService;
this.serviceProcessInstaller1.Password = "password";
this.serviceProcessInstaller1.Username = #"\\serverName\user";
the installer works, the service shows up and I can start it, but when I debug/attach to the process it throws an exception when trying to write to the directory about access rights.
So maybe I'm not even attacking the right issue/section, as this is probably an active directory issue and something not done in code.
Any suggestions?
What you tried there is irrelevant to your problem.
If you're on windows 7, you may workaround by going to [Control Panel]->[User Accounts]->[Credential Manager] to store login information of target machines.
We have a program that uses webdav, authenticating with windows authentication so users don't have to type their username and password. this worked fine until we migrated domain. now the code that used to connect returns error code 5 (access denied):
string psPassword =null, psUsername=null;
structNetResource stNetRes = new structNetResource();
stNetRes.iScope = 2;
stNetRes.iType = RESOURCETYPE_DISK;
stNetRes.iDisplayType = 3;
stNetRes.iUsage = 1;
stNetRes.sRemoteName = WebDAVServerpath;
stNetRes.sLocalName = null; //connect, but don't show drive in my computer
int iFlags = CONNECT_CMD_SAVECRED;
int i = WNetAddConnection2A(ref stNetRes, psPassword, psUsername, iFlags);
Does anyone have any idea how to fix this? I've tried running
int j = WNetCancelConnection2A(WebDAVServerpath, CONNECT_UPDATE_PROFILE, 0);
beforehand to clear any old connections but this isn't working.
(Running net use \\server.domain.com\share now prompts for a username and password whereas before it used to connect straight away, so it looks like something's interring with windows authentication.)
Edit - This is a WinForms application, IIS and the shared files are stored on the same machine. The problem only occurs on machines that were migrated; PCs that were (and still are) outisde our domain are unaffected.
If your file server and web server are not the same machine, you need to set up the file server to trust the web server for delegation. This allows the file server to trust the credentials that the web server has authenticated instead of re-prompting for credentials on each request.