In the Services.exe, For each service, we can see two types of LogOn
Local System account
This account.
I am just wondering is there any way to classify the LogOn accounts in "This account" to a particular set of enum or groups.
For eg:
./SomeUsername as Local User Account,
NT Authority/LocalService as localService
NT Authority/NetworkService as Network Service
and so on.
Please give me some insights on this!
You can look into services registry branch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<your sevice name>.
The value ObjectName is what you are looking for.
It will be text string like
NT AUTHORITY\NetworkService
NT AUTHORITY\LocalService
LocalSystem
in case of build-in credentials.
Related
I cannot assign a capacity Id to a workspace via Powershell commands, logged in with a service principal.
$workspace = Get-PowerBIWorkspace -name 'XXX-XX-XXXX-XXX'
$workspaceId = $workspace.Id
echo $workspaceId
Set-PowerBIWorkspace -Id $workspaceId -Scope "Organization" -CapacityId "XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
error message:
Set-PowerBIWorkspace: Operation returned an invalid status code 'Unauthorized'
I have taken the following steps:
I have created a service principal and assigned it to a security group in Azure AD.
I Manually added this security group in the admin Portal in PowerBi service to allow service principals to interact with service (under developer settings).
I have been able to (using PowerShell) login with the service principal and create a workspace.I can get all workspaces etc...
However, when I try to set a workspace capacity Id (assign it to a premium capacity) I get an unauthorized error.
I suspect I cannot do this because to perform this action, I have to go under Admin Portal Settings > Workspaces (I need Admin Rights to PowerBi service), hence I'm trying to find a way to grant these admin permissions to the service principal.
Besides this, I have:
Assigned that same service principal in the security group to be
workspace admin
Assign PowerBi administrator role in AAD to that service principal
But nothing worked.
Is there a way to perform these actions? Or is it a limitation of Service Principals?
Thank you,
Joao
The admin APIs in general cannot be used when authenticating with service principal. Recently, they made it possible to use some of them, but not all. For example take a look at Announcing new Admin APIs and Service Principal authentication to make for better tenant metadata scanning and Enable service principal authentication for read-only admin APIs, where you can see the list of supported APIs.
To assign a capacity to a workspace, UpdateGroupsAsAdmin API is used, which is currently not listed as a supported API, and is documented only for "normal" authentication:
Permissions
The user must have administrator rights (such as Office 365 Global Administrator or Power BI Service Administrator).
while for other APIs (GetGroupsAsAdmin, PostWorkspaceInfo) is explicitly documented that they can be used with a service principal:
Permissions
The user must have administrator rights (such as Microsoft 365 Global Administrator or Power BI Service Administrator) or authenticate using a service principal.
So either you have to wait for Microsoft to implement authentication with service principal (and there is no guarantee they will do that), or you will have to change the authentication (to use AAD account).
I need to test the pass through authentication connection of a new website using PowerShell.
The code that I have just creates the website.
New-WebApplication -Name DLTItemAnalysis -Site 'Default Web Site' -PhysicalPath C:\inetpub\wwwroot\ApplicationFolder\ApplicationFolder -ApplicationPool ApplicationPool
Set-WebConfiguration "/system.applicationHost/sites/site[#name='Default Web Site' and #id='1']/application[#path='/Application']/VirtualDirectory[#path='/']" -Value #{userName=$ServUserName ;password= $ServUserPassword}
Is there a way to also test the user connection like the GUI has?
I am not really sure what you are asking for here. for as documented:
It is an authentication bridge and a new powerful way of cloud authentication while still keeping your passwords on-premise. It securely validates user passwords with on-premise Active Directory without the need of extra on-premise infrastructure like ADFS. Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users with a better experience - one less password to remember and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
When a user types in his user name and password on office 365 portal https://portal.office.com, office 365 service encrypt this using public key and puts it in a queue for validation, one of lightweight agent makes an outbound call from your network to retrieve the user name and password and decrypts the password using organization’s private key and validate it against local AD. Local AD sends back the resulting success or failure and it goes back to Azure portal via an agent and the user is authenticated.
So, this is nothing more than a standard Windows Kerberos auth request being redirected. So, you are only require testing for normal Windows auth.
As noted above, PTA is a communications channel, not an auth type, like basic, integrated, Kerberos, Kerberos(required), etc. For a target to validate a specific auth type, the target has to be configured for it. There is not PTA auth type as noted above that you can configure on a target.
Microsoft's PTA Video
User sign-in with Azure Active Directory Pass-through Authentication
What is Azure Active Directory Pass-through Authentication? Azure
Active Directory (Azure AD) Pass-through Authentication allows your
users to sign in to both on-premises and cloud-based applications
using the same passwords. This feature provides your users a better
experience - one less password to remember, and reduces IT helpdesk
costs because your users are less likely to forget how to sign in.
When users sign in using Azure AD, this feature validates users'
passwords directly against your on-premises Active Directory
I want to access the
Azure Portal -> Azure Active Directory->User Settings
via a powershell commandlet.
Currently I have tried
Get-MsolCompanyInformation
which gives limited data about these settings. Not all settings access (true/false) comes up with this commandlet.
Can someone give the commandlet(s) by which I can get whether these settings are enabled/disabled for a tenant?
For now, there is no command to list those informations in msol powershell module and Azure AD powershell module v2.
As a workaround, we can use role to control those permission.
We can use Azure AD powershell V2 to list roles:Get-AzureADDirectoryRole.
Then we can use this command to list the members of this role: Get-AzureADDirectoryRoleMember.
To create role, we can list the role template with this commmand Get-AzureADDirectoryRoleTemplate
PS C:\Users> Get-AzureADDirectoryRoleTemplate
ObjectId DisplayName Description
-------- ----------- -----------
729827e3-9c14-49f7-bb1b-9608f156bbb8 Helpdesk Administrator Helpdesk Administrator has access to perform common helpdesk related tasks.
f023fd81-a637-4b56-95fd-791ac0226033 Service Support Administrator Service Support Administrator has access to perform common support tasks.
b0f54661-2d74-4c50-afa3-1ec803f12efe Billing Administrator Billing Administrator has access to perform common billing related tasks.
4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier1 Support Allows ability to perform tier1 support tasks.
e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Partner Tier2 Support Allows ability to perform tier2 support tasks.
88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Readers Allows access to various read only tasks in the directory.
29232cdf-9323-42fd-ade2-1d097af3e4de Exchange Service Administrator Exchange Service Administrator.
75941009-915a-4869-abe7-691bff18279e Lync Service Administrator Lync Service Administrator.
fe930be7-5e62-47db-91af-98c3a49a38b1 User Account Administrator User Account Administrator has access to perform common user management related tasks.
9360feb5-f418-4baa-8175-e2a00bac4301 Directory Writers Allows access read tasks and a subset of write tasks in the directory.
62e90394-69f5-4237-9190-012177145e10 Company Administrator Company Administrator role has full access to perform any operation in the company scope.
a0b1b346-4d3e-4e8b-98f8-753987be4970 User Every user is implicitly considered to be a member of the User Role.
f28a1f50-f6e7-4571-818b-6a12f2af6b6c SharePoint Service Administrator SharePoint Service Administrator.
d405c6df-0af8-4e3b-95e4-4d06e542189e Device Users Device Users
9f06204d-73c1-4d4c-880a-6edb90606fd8 Device Administrators Device Administrators
9c094953-4995-41c8-84c8-3ebb9b32c93f Device Join Device Join
c34f683f-4d5a-4403-affd-6615e00e3a7f Workplace Device Join Workplace Device Join
17315797-102d-40b4-93e0-432062caca18 Compliance Administrator Compliance administrator.
d29b2b05-8046-44ba-8758-1e26182fcf32 Directory Synchronization Accounts Directory Synchronization Accounts
2b499bcd-da44-4968-8aec-78e1674fa64d Device Managers Allows access to read and edit device properties.
9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 Application Administrator Application Administrator role has access to perform common application management related tasks.
cf1c38e5-3621-4004-a7cb-879624dced7c Application Developer Application Developer role has ability to create single-tenant applications.
5d6b6bb7-de71-4623-b4af-96380a352509 Security Reader Security Reader allows ability to read security information and reports.
194ae4cb-b126-40b2-bd5b-6091b380977d Security Administrator Security Administrator allows ability to read and manage security configuration and reports.
e8611ab8-c189-46e8-94e1-60213ab1f814 Privileged Role Administrator Privileged Role Administrator has access to perform common role management related tasks.
3a2c62db-5318-420d-8d74-23affee5d9d5 Intune Service Administrator Intune Service Administrator has full access in the Intune Service.
158c047a-c907-4556-b7ef-446551a6b5f7 Cloud Application Administrator Cloud Application Administrator has the ability to create applications and update all cloud properties of applications.
5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Customer LockBox Access Approver Customer LockBox Access Approver has approval access to user data requests.
44367163-eba1-44c3-98af-f5787879f96a CRM Service Administrator CRM Service Administrator has full access in the CRM Service.
a9ea8996-122f-4c74-9520-8edcd192826c Power BI Service Administrator Full access in the Power BI Service.
95e79109-95c0-4d8e-aee3-d01accf2d47b Guest Inviter Guest Inviter has access to invite guest users.
b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 Conditional Access Administrator Allows management of all conditional access capabilities.
More information about Azure AD powershell V2, please refer to this link.
I'm now kerberizing a cross-platform application with GSSAPI.
While I'm not clear about the difference between UPN and SPN.
The development environment is a Samba4 AD DC server on CentOS 6.4 with a Windows server 2008 R2 a member box in the domain, say EXAMPLE.COM (You may be curious why not use Win2008 as DC directly. And as I stated previously, the application is cross-platform, I'm now testing in this setting. The normal Win DC-Linux MEM setting works fine.).
I create a new user foobar:users to run the application.
When I use foobar#EXAMPLE.COM, i.e. the UPN, to authenticate the application against Kerberos, I keep receiving
Kerberos: Principal may not act as server ERROR
Following a thread on Samba maillist, I think I should create a service principal name say app/dc.example.com for the UPN with samba-tool
samba-tool spn add app/dc.example.com foobar
This time I will receive another error
Samba4 KDC - no such entry found in hdb
My question is what's the difference between a UPN and SPN?
By samba-tool spn list foobar, it says foobar has servicePrincipalName app/dc.example.com.
How could I associate a UPN with an SPN?
Thank you very much.
Simply put,
UPN: An entity performing client requests to some service. Entity may be human or machine. See here.
SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc. Machine only. See here.
A UPN retrieves a service ticket for an SPN to use that actual service.
If your samba-tool call your request samba to register the SPN app/dc.example.com to the UPN foobar. Since You have not provided the realm of the SPN and UPN, Samba will assume the default realm of the machine this call is performed from. In Windows terms, you mostly bind an SPN to a machine UPN. Which is always: <name>$#<REALM>. Note the dollar sign.
I have a need to access an RSA private key from a Windows service running under the NT AUTHORITY\SYSTEM account. I'm able to install the private key on the server, and then make use of that key when running as the user that installed the key. However, the key does not seem to be available from the Windows service. Do I need a machine-level key here (which I understand increases the risk of compromise), or is there a way I can install a key specifically intended for use by the SYSTEM account?
You can do start->run->mmc, load the Certificates snap-in and then choose "Service account" to manage the certificates for a specific service. I am not sure if you can do this for the SYSTEM account. Is this a requirement or are you able to run your service as a custom least privilege account?