Am trying to run my Service Fabric application in my local cluster to run as a different user. Use case is am trying to connect to my on prem database, but since n/w service accounts don't have access, i need to run my SF as logged in user. I've followed the below url exactly, as Admin user & domain user, but no luck.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security
Am getting the below error in eventviewer.
"Error getting user account information for domain\user:AccessDenied"
"SetupSecurityPrincipals failed with ApplicationPrincipalAbortable Error"
How else can i run my SF as logged in user?
I was able to accomplish this by running 'Service Fabric Host Service' in services as logged in user(instead of local account). Along with this the Integrated Security = SSPI needs to be in the appsettings.json.
Related
we are using admin accounts as admin account have most of the rights to execute and access files from the all locations so uipath automation runs smoothly.
admin account : CORP\ADM-FR-SFAKHORI
sefrvice account : SVC-FR-S2DCAUTO
we conenct our production using admin account , and now need is there to run more automations and we dont have free slots for admin accounts to run / admin account is occupied with existing automation.
Team provided us service account instead admin account to connect our vm and to run automations.
to login certain applications via servcie account is possible which we are doing currenly also but can we run automations using servcie account?
we are using task scheduler and for now our vm is not able to connect with service account as servcie account deoent have logon accesss.
my question is if team provides logon access to servcie account then can we execute our scripts without any issue ? or can we ask for admin account to the team ?
we are using ateended named user license.
Please help us on same.
i tried by connecting using service account to vm but it is just connecting and disconnecting.
so we are not sure if team provides us login access then also we can able to accseess/execute or not.
so we want that surety .
enter image description here
We have a release pipeline that is failing with following message:
resource ID for resource type 'Microsoft.Web/Sites' and resource name
'appservicename'. Error: Could not fetch access token for Managed
Service Principal. Please configure Managed Service Identity (MSI) for
virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400,
status message: Bad Request
We have 2 different service connections:
Azure Resource Manager using service principal authentication
Azure Resource Manager using managed identity authentication
The first one works like a charm. However, because the developer wanted to limit admin access on the Azure AD, he tried creating a managed identity authentication service connection which at first glance, since it allowed us to select the App Service, appeared to indicate it's working, until an actual deployment was triggered and it failed per the error message above.
After numerous searches online, I think this answer may be the clue to why this is failing with the managed identity authentication service connection yet succeeding with the service principal connection just fine.
I just want to confirm, is this truly the case? that a hosted agent doesn't support MSI based authentication, which is what we are using… or has that changed?
We are indeed using Microsoft agent pool.
It doesn't make sense for our app service to use a VM at this time. The use case just isn't applicable for the dashboards we have.
As it is written in the docs:
You are required to use a self-hosted agent on an Azure VM in order to use managed service identity
I assume that it was alway like that. Here we are talking abut MSI assigned to VM which serves as build agent. Not MSI which is identity of App Service. Why? Service Connection is an abstraction which makes easy authentication to your Azure Subscription. So it gives identity to VM and then when your perform some action against your Azure thanks to MSI Azure know that can perform that action. Another aption is authentication via Service Principal, but thi can be done from any VM (inlcuding MS Hosted) because it relies on Client Id and Client secret which is kept in service connections. And MSI have to be assigned to particular VM which cannot be done with MS Hosted agents.
Whenever I try to open process definition in drools , Getting the Below Error
Invalid credentials to load data from remote server. Contact your system administrator.
I have given all permissions to role permission to user but still this error shows up.
While many details from your problem are not clear, here is the bottom line of this issue.
You are logging into the business-central with user 'nithish'. This user, will be used in the remote REST requests to your kie server instance. This means that user 'nithish' needs to exists on the kie-server side as well - otherwise kie-server will not recognise that user, thus authentication will fail. He needs to be created there with the same password and same roles as are present on the business-central side. I would advise at least
kie-server, rest-all,admin
roles.
The server you've installed your business central on has no access rights.
I have a com+ application that when I connect to the machine and start the application, it works without issue. It is set with a run identity that is a service account with a non-expiring password.
I have another application (running as a service) that calls the COM+ application is set to run as the same service account. When I invoke the commands I need while logged in to machine that is running the service (the one that calls the COM+ application) it works without issue.
If I log out of the machine running the service and monitor the process that is running, I get the following error:
The server process could not be started because the configured identity is incorrect. Check the username and password.
I'm trying to find out if there is a group policy that might be interfering here. Everything works fine when I'm logged in, but when I log out, the service continues to run but fails to call the COM+ application. I know there are AD policies that prevent services from running when the account is not logged in, but are there any that would prevent the COM+ application from starting when called from a service that is running as a user that is not logged in?
Any suggestions would be very helpful.
The issue only showed up when the application was running as a service and the service account was not logged in. The issue I think was related to a double hop but where I'm not exactly sure. I was able to work around the issue by changing the identify for the DCOM object to use the specific service account's credentials.
I am trying to setup a Gcloud Auth Login for an account on a server that will cover all users.
i.e.
I login using an administrator account and issue the command..
e.g.
gcloud auth login auser#anemail.com
go through the steps required and when I issue the issue the Gcloud Auth List command I get the right result.
But other users cannot see it.
i.e. we use sap data services that use a proxy account on the server when it is running
e.g.
proxyaccount#mail.com
but that user cannot see the the authorized user I authorized using the administrator account.
I get error "you do not currently have an active account selected"
The "other" accounts do not have administration access nor do we want them to, and besides I don't want to have to go through this process for each and every account that connects to the server.
Ian
Each user gets its own gcloud configuration folder. You can see which configuration folder is used by gcloud by running gcloud info.
Note that if your server is a VM on GCP you do not need to configure credentials as they are obtained from metadata server for the VM.
Sharing user credentials is not a good practice. If you need to do this your users can set CLOUDSDK_CONFIG environment variable to point to one shared configuration folder. Also you should at least use service account for this purpose and activate it via gcloud auth activate-service-account instead of using credentials obtained via gcloud auth login.