The credential provider can be hide in windows, setting the disable key to true.How to hide the credential provider in windows without having to disable their key in system registry?
You should be able change some Group Policy settings, dependant on t he credential provider you are using, with the C++ Group Policy API. A few vendors have Group Policy keys that you can edit, which avoids editing the system registry programmatically.
Related
KeyCloak Account Management Console
How do I disable the menus authenticator, sessions, applications, log and my resources options from the Account Management Console in KeyCloak as marked in the picture? I just want to have the Account and Password option to be available for the users.
Are you using the new or the old account console?
With the new account console you may simply want to adjust the content.json file
Check out this quickstart for details
With the old account console, I guess you will need to adjust the template.ftl in your own theme.
Note: Please be aware that this will only change the theme and users will still be able to use the APIs directly.
We have a PowerShell script to pull Power BI activity data (using Get-PowerBIActivityEvent), and I have been trying to automate it so that it can pull this data daily using an unattended account. The problem is the script must necessarily use the Connect-PowerBIServiceAccount cmdlet, which requires a credential. I don't want to have the passwords hard-coded anywhere (obviously) and ideally don't want to be passing it into the script as a plaintext parameter in case of memory leaks.
I've tried using SSIS as a scheduling mechanism since it allows for encrypted parameters in script tasks, but can't call the PS script with a SecureString parameter since the System.Management.Automation namespace isn't in the GAC (a commandline call wouldn't be possible).
I don't believe task scheduler would offer the functionality needed.
Does anyone know of any elegant ways to connect to the power BI service using encrypted credentials?
In the docs of Connect-PowerBIServiceAccount there are 2 options for unattended sign-in:
Using -Credential, where you pass AAD client ID as username and application secret key as password
Using -CertificateThumbprint and -ApplicationId
For both options you need to configure service pricipal and add proper permissions. I'm not going into details how to configure that, but most probably you'd need (at least) the following application permissions:
I'm not really sure what functionalities you need in the script, but in my experience, majority of the cases can be covered by scheduled task, so the explanation below will apply to that solution.
How you can secure the credentials?
There are variuos possible solutions, depending on your preferences. I'd consider certificate-based authentication as more secure (certificate is available only to current user/all users of the machine).
What's important in certificate-based authentication - make sure that the certificate is available for the account running the script (in many cases it's service account, not your user account).
How can I secure more?
If you want, you can store application ID as secure string (I don't have SSIS to test, so I'm not sure if there's any workaround to make it working in there) or use Export-CliXml. They use Windows Data Protection API (DPAPI), so the file can be decrypted only by the account which was used to encrypt.
To add one more level of security (I'm not even mentioning setting correct access rights to the files as it's obvious) you might put the file in the folder encrypted (you might already have a solution for disk encryption, so use it if you wish).
There are probably some solutions to secure the keys even better, but these ones should do the job. I'm using other Microsoft 365 modules with similar approach (Outlook, SharePoint PnP) and it works quite well.
NOTE: If you need to use user account, instead of service principal, make sure that you have MultiFactor Authentication disabled on that account for that specific application.
The relevant documentation to this (https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal) states that admin APIs (i.e. those served via Get-PowerBiActivityEvent) do not currently support service principals. This means it's not currently possible to use a registered app to run these cmdlets unattended.
There is a feature request open to provide this at the moment: https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/39641572-need-service-principle-support-for-admin-api
I am getting error to configure the OAuth in the che.property. but I am not able to find the location of the file and the syntax to add the configurations. I am using Ubuntu 18.04
For single-user Che, see https://www.eclipse.org/che/docs/che-7/version-control/#configuring-github-oauth_version-control.
For multi-user Che:
Go to the keycloak page (http://keycloak-che.192.168.99.170.nip.io/)
login as admin
click Identity Providers.
In the Add provider drop-down list, click GitHub. The Add identity provider window is displayed.
In the Add identity provider window:
The Redirect URI field, depending on your Eclipse Che installation,
type the Authorization callback URL.
Copy the client ID and the client secret from GitHub and paste them
in the Client ID and the Client Secret fields, respectively.
In the Homepage URL and the Authorization callback URL field,
depending on your Eclipse Che installation, type the two URLS.
In the Default Scopes field, type repo, user, write:publick_key.
Set Store Tokens and Stored Tokens Readable to ON.
Click Save.
The Success! The github provider has been created. message indicates success. And, the GitHub provider is added to the Identity Providers window.
Perform the following steps to set role mapping for non-administrative users.
Expand the Manage tab and then click Users.
Click the Role Mappings tab.
Click the Client Roles drop-down menu and click broker.
In the Available Roles list, click read-token.
Click Add selected.
In the Effective Roles list, click read-token.
The GitHub OAuth is now set for the user.
I am using the AspNetIdentity sample from the IdentityServer3 Samples file. When I start up the application the first page shows links for the Identity Server Welcome page and the Identity Manager User admin. When I click on the Identity manager admin link it automatically logs into the server and you can create, update etc any users, roles etc. How can this be modified to require a login? It seems obvious to me that this should not automatically log in and allow this access - am I missing something?
Identity Manager's default security is "Local Host" security. This means the caller/user is considered trusted if that caller is browsing from the same machine that is hosting Identity Manager. This is just the default, other security modes are available. Brock has a good video that explains the other modes.
I have a need to access an RSA private key from a Windows service running under the NT AUTHORITY\SYSTEM account. I'm able to install the private key on the server, and then make use of that key when running as the user that installed the key. However, the key does not seem to be available from the Windows service. Do I need a machine-level key here (which I understand increases the risk of compromise), or is there a way I can install a key specifically intended for use by the SYSTEM account?
You can do start->run->mmc, load the Certificates snap-in and then choose "Service account" to manage the certificates for a specific service. I am not sure if you can do this for the SYSTEM account. Is this a requirement or are you able to run your service as a custom least privilege account?