I have a simple C# app (it is WPF), and I am polling a network location for any new *.pdf. The app runs elevated.
The network location has been mapped to the local PC as P:\ so it is quite simple to just monitor P:\ by just doing a Directory.GetFiles("p:\", "*.pdf"). This technique works great.
However, the other day I ran into an exception: "Could not find part of the path 'P:\'" (DirectoryNotFoundException).
I noticed the drive was mapped to the PC, but when the IT guy clicked on the drive in windows explorer, it required a login and password. We were then able to view the P:\ in explorer, but my app still could not access the p:.
I had the IT guy remove the login/password and then it worked (but it could have been due to a restart too, I am not sure).
What is confusing me is that I am not aware of any moment where they 'enabled' password protection for the mapped location, so I am not sure when, why, or how it stopped working. I didn't even know it was password protected.
That leads to my very simple yes/no question: If a mapped drive is password protected in windows explorer, and a user types in the login/password so that they can get to it in explorer, is that enough such that my app does not need to login with user/pass information?
If the answer is no, then I will google the proper technique for accessing p:\ using a user/pass. But any explanation about my problem is surely appreciated.
Thanks
The reason it ask for password as the current used logon into windows do not have access to that network path, so did the program run with your logon.
What you need to do is get IT guys give the account which run your App the permission to access directly so that the password protection will be transparent for you
Related
I have a windows service that polls a folder continuously for new files.For local directories this works fine.But when it comes to UNC Paths on another system in the same network,the service cannot access the folder it seems.I have refereed to this post https://serverfault.com/a/881272 ; it states that i need to run the service as the currently logged in user.How im i supposed to do that?
The path i wish to monitor using the service is
\DESKTOP-PC\Users\me\myfolder
Please advice
UPDATE:
I have developed the service using topshelf.I want to poll a folder on another local machine in the same network.I go to network places,double click on the computername,it asks for credentials,i enter the username and password of the remote computer i get access to the files on the system for that user(in explorer).
Now when i set the service to run as the local machine user under this machine,it cannot access the remote UNC Path that is accessible using explorer.I have tried installing it as the remote machine user,but it fails.
myService.exe install -username:DESKTOP-REMOTE\myname -password:mypassword
Open the Control Panel > Administrative Tools > Services window on
your Windows server.
Stop your windows service.
Open the Properties > Log On dialog.
Change the service user account to the target user account.
Start your service.
If you are developing the service in Visual Studio, and want to emulate a different account you can also press shift + right mouse click on devenv.exe and click on "run as different user".
Also make sure you are specifying the full path to the folder and that the account you use has full rights to the folder.
If you try to run your service under the desktop-remote\myname account you probably will fail. The local machine only likes accounts belonging to itself.
What I would do is to turn it around. Make the remote computer share a folder for your machine to poll. That way the remote machine has control over which data it is publishing, just like an object has its properties to private or public. If you are ok with having anyone who knows the address \\desktop-remote\my-not-so-secret-folder\ being able to read it, set it so anyone can read. If you are more secretive, suffix the folder with $ like so: \\desktop-remote\my-secret-folder$. Now it is not visble but still reachable.
You can also create a special account that has access to said folder.
Then you let your service run any account (with network access) of your choosing on your local machine. Let it try to connect to the remote folder with the special account.
(I have learned, the hard way, that reading a shared folder is slightly different between machines without domain and machines in a domain; the anyone-can-read does not work. At least in WindowsXP it was that way. I have since then not have the need to share a folder.)
HTH
When you set the service to run as the local system account, it cannot access the remote UNC Path that is accessible using explorer with local machine account.
Simply because the explorer manages logged on user credentials, so, you have added UNC path credentials to the LOGGED user only.
When you change it to Local System Account, the user credentials to the share is not stored.
Try to create a local user without password expiration and then enable it access to the Share.
All you will need to do is to setup windows service with this new account registered.
I was facing this problem with my UNC storage in the Azure cloud.
What worked is setting up the credentials in the windows credentials manager:
windows credential manager
You can get the connection string from the Azure portal.
This resolved our problem.
You can have a look at Impersonation. Also, if the service is running as a localuser, then it would help to create the same user with similar password on the machine where the folder resides.
Have a look here (the OP in this post is experiencing the same issue and he/she has given the shared folder “Everyone access to full control”.
https://serverfault.com/questions/177139/windows-service-cant-access-network-share
I'm getting "Unable to start program http://localhost:[port] Access is denied." when I try to debug an ASP.NET MVC app. Here are some more details, some of which may not be relevant.
This is happening under a somewhat different context for this project. I recently obtained an elevated account on the network, so now I'm running VS 2017 (15.5.4) as Admin every time I start it so that I can access the TFS server. Previous to this, I had been working offline with my non-elevated account and passing code changes to another developer for him to check in to TFS. I am still logged on to the local PC (Windows 10) with my non-elevated account. I just start VS as an admin and when prompted enter the credentials for the elevated account.
This morning was the first time I ran VS under this new context, got the latest code, and tried to do some work. I had to delete an existing TFS workspace, but I did get a complete refresh of the code from TFS.
The first time I went to F5 the code in this new context I get a warning about the app using SSL and VS wanting to self-sign a certificate. I said yes. I forget exactly what happened at that point, I think the browser (Firefox) timed out trying to connect. Anyway, I tried a different browser (Chrome) and still no luck.
Yet now, whether I , +, , or , I very quickly get the message from above "Unable to start program..." I've done a lot of searching on this problem, but have had no success in getting close to a solution. Here's what I've tried:
Cleaned the build and done a fresh rebuild. Building works, no issues.
Use netsh to look for (and delete) URL reservation. There wasn't one.
Tried using a different port.
Deleted temporary asp.net files.
Turn JavaScript debugging option off in VS.
Crtl+F5, w/o debugger.
Turn SSL off for the project.
Checked, Windows Authentication is on in web.config.
Used Process Monitor to look for any "access denied" for either devenv.exe or iisexpress.exe
So what I'm hoping for here is not so much a silver bullet (though that would be great), but more some help in troubleshooting. Access denied means some resource--a file, a registry setting, a network share, something--is inaccessible in the context in which I'm running. Exactly what that is has got to be recorded somewhere, I hope. What log files does VS write to when you hit ? I've looked at the output during build and there's nothing there.
I'm sure I haven't exhausted all resources in troubleshooting this, I just need some help on where to look. Also, I had to leave that project/site and head to another, so I won't be able to try any ideas you all throw at me until tomorrow, at the earliest.
Please take a look at these answers in a similar question. From the list you provided it appears some of these may be new things to try for your case.
Specifically, I have run across the following answers in that linked question that have worked for me at various times in my career:
If you're using Anonymous Authentication, IIS 7 will use the "IUSR"
account for directory access (unless you've set it to use the app
pool identity. If you haven't granted IUSR sufficient permissions on
your site's folders and files, you'll get this error
For me in windows 7 it started to work only after I gave 'Read &
execute', 'List folder contents', 'Read' permissions to site folder
for both users
IUSR
NETWORK SERVICE
I had the same problem, I enabled "Anonymous Authentication" but it
still did not work. So I also ENABLED "Forms Authentication" Then it
worked without any problems. (also try windows auth)
For me, nothing worked except the following, which solved the
problem: open IIS, select the site, open Authentication (in the IIS
section), right click Anonymous Authentication and select Edit,
select Application Pool Identity.
I gave access to "IIS_IUser" but instead it should be "IUSR". That
solved the problem.
I have a very similar problem with yours and my architecture uses windows authentication and what works for me is selecting my project and going to properties. Then select "Enabled" on Windows Authentication.
In the place where I work we have sensitive data on our computers that need to stay there but we regularly update our data so we need a way to disallow copying to a flash drive but allow copying from the flash drive to the computer. Currently we're doing that with the windows registry key StorageDevicePolicies-->writeprotect(1) but since anyone with some computer knowledge can undo this it's not secure enough. I searched but couldn't find anything online so I decided to develop it myself. The problem is I don't have any experience working with hardware I mostly develop database applications in c sharp. So I would appreciate a solution in c sharp but anything that can help is highly appreciated.
If they have admin rights, then any C# program you write can be shutoff just as easily as they can change the registry key. The real solution is to modify user rights, and possibly remove flash drive capabilities and use network shares instead when data needs to be copied to machines.
If anything, I might just make a service with an unassuming name that polls the registry key periodically to see if it's been flipped, and if it has then notify IT staff, who would then commandeer the computer, flash drive, and event logs(showing the registry key was changed by that user), and then refer them and the logs to management. This assumes employees have been thoroughly and frequently warned that copying data off machines is strictly against the rules. Sometimes it is not clear to a user when an IT road block is just poorly managed IT, or a company policy.
Alternatively, you could make the service force the bit back if it is changed, but then trial and error will allow a user with admin rights to discover which service needs to be shut down to prevent this.
I doubt you have network access because you are using flash drives to copy data. But even if you don't have a network you can still use this method (but administrators can still get around it).
Group policy has the exact setting you are looking for. Just open the Group Policy Snap-in, then under either Computer Configuration or User Configuration (if you want it applied on a computer basis or a user basis respectively (if you want it on one computer but only applied to some users you need set up loopback processing) then go to \Administrative Templates\System\Removable Storage Access\
In that folder you can enable the following settings:
CD and DVD: Deny write access
Custom Classes: Deny write access
Floppy Drives: Deny write access
Removable Disks: Deny Write access
Tape Drives: Deny write access
WPD Devices: Deny write access
If you are on a domain you can make it so even if the user is a local administrator to the computer they cant disable the setting unless they are a domain administrator too. If you are not on a domain, any user who is a Adminstrator can disable it.
I have a simple updater program that copies files from a company server to the user's machine.
For most people on the internal LAN this is no problem, but some staff access this from LANs where they are not automatically authenticated with the server in question.
Normally an attempt to access this server (e.g. via Explorer) would simply throw up a user credentials dialog asking the user to provide a login that can access the shared directory.
In my Winforms application I simply use operations like File.Copy to move the files.
How can my application cause Windows to prompt for authentication rather than just throwing an exception?
I'm willing to do a fair bit of work myself but what I was really hoping was that Windows provided a way for this to happen.
Otherwise I'm considering just attempting access and showing an error message instructing the user to authenticate themselves using explorer.
Are there any other nice ways to deal with this problem without reinventing the wheel for a 50 line program? :-)
you could use shell API to make that happen (same API Windows Explorer is based upon) - instead File.Copy you would pinvoke SHFileOperation.
My application needs to run with administrator privileges because of some specific phone components.
I've build an executable that does nothing else than calling the real application with the specific local administrator account (username and password).
I use the ProcessStartInfo and Process class for this purpose.
The problem: Some word interop is being done and the required word templates are stored on a unc share.
Local admin -> no domain/network context -> no access to shares.
Are there any other solutions than these two:
put a domain account into the administrator group on the affected machines and call the app. with this user
put the word templates onto the local drive
Maybe there are some uac elevation experts out there?
I think the best way would be to temporarily switch back to the "real" domain user context, but I don't know how this should work without providing his credentials...
Thanks for reading - and maybe feedback!
Having that small application, which knows the administrator password is a security nightmare. Have you tried opening the .exe for your small app in notepad? I'm fairly sure that the password will be there - in plaintext for anyone to read.
It is far better to solve this by giving the user running the app the required privileges. Full administrator access is very seldom required. Have you tried looking into exactly what the phone app needs? Sysinternal's Process Monitor is often very good to use.