I'm struggling around and hope you can help me.
Scenario:
I wrote a web application on a test server and all works fine. I moved the finished application to the live system and I receive a HTTP 401 error if windows authentication is enabled on IIS. I solved this problem by setting an SPN on server name e.g.
setspn -a http/contoso contoso
But it needs to work with my service account.
I set spn for service account like:
setspn -a http/contoso.com mydomain\serviceaccount
setspn -a http/contoso mydomain\serviceaccount
Application pool is running as mydomain\serviceaccount. The Kerberos Delegation is set for this account in Active Directory. But still get a 401 error. For testing purposes, the service account has the Administrator role on this server.
This looks like a duplicate SPN issue. I believe you have done all the right things by adding SPN's for service account but there is one more step in IIS that you need to take to ensure that the application pool credentials are actually being used.
Click on the website and in the center panel, click on configuration editor. Navigate to "system.webServer/security/authentication/windowsAuthentication" and here set "useAppPoolCredentials" to true and "UsekernelMode" to false.
Follow this article for more info - https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Related
Whenever I try to open process definition in drools , Getting the Below Error
Invalid credentials to load data from remote server. Contact your system administrator.
I have given all permissions to role permission to user but still this error shows up.
While many details from your problem are not clear, here is the bottom line of this issue.
You are logging into the business-central with user 'nithish'. This user, will be used in the remote REST requests to your kie server instance. This means that user 'nithish' needs to exists on the kie-server side as well - otherwise kie-server will not recognise that user, thus authentication will fail. He needs to be created there with the same password and same roles as are present on the business-central side. I would advise at least
kie-server, rest-all,admin
roles.
The server you've installed your business central on has no access rights.
I use this tutorial to deploy a business network on a free bluemix cluster: https://ibm-blockchain.github.io/
I also deploy the REST Server and communicate via Web apps.
All went fine till yesterday. The REST Server was not accessible anymore.
I deleted everything on the cluster using the script delete_all available in the ibm-container-service repository.
I followed the install procedure using the create_all script. I could access the composer playground (port 31080) again but was not really able to deploy an online business network using the "profile" hlfv1. Now it asks at the bottom of the "deploy UI" for credentials.
I don't know what to fill in. I tried to use ID+Password. On this way I was able to deploy but I got access error by clicking on "connect now". I was able to start the REST server then but if i try to access it in the browser (port 31090), I get the feedback that I'm not authorized.
Any ideas?
And do you know which changes have been made in the last month, which could bring these troubles?
Thx
Phil
The tutorial pointed to only covers playground when used with a Web Browser connection not a real fabric. When you deploy to a real fabric you have to provide an initial identity that you want bound to an initial participant in the business network. The initial participant will be of type org.hyperledger.composer.system.NetworkAdmin and given a name of the initial identity name you provide.
This dialog looks like this
To get you started you should select the ID and Secret radio button. Then for Enrollment ID enter admin and for the Enrollment Secret enter adminpw.
This is the name and secret of the bootstrap identity that exists in the fabric-ca server that has been deployed as part of the scripts.
By providing this information that identity will be enrolled and it's public certificate will be bound to a NetworkAdmin participant which will be called admin. This identity admin will then have access to the business network as only identities that are bound to a participant in the business network can have any sort of access.
I have a com+ application that when I connect to the machine and start the application, it works without issue. It is set with a run identity that is a service account with a non-expiring password.
I have another application (running as a service) that calls the COM+ application is set to run as the same service account. When I invoke the commands I need while logged in to machine that is running the service (the one that calls the COM+ application) it works without issue.
If I log out of the machine running the service and monitor the process that is running, I get the following error:
The server process could not be started because the configured identity is incorrect. Check the username and password.
I'm trying to find out if there is a group policy that might be interfering here. Everything works fine when I'm logged in, but when I log out, the service continues to run but fails to call the COM+ application. I know there are AD policies that prevent services from running when the account is not logged in, but are there any that would prevent the COM+ application from starting when called from a service that is running as a user that is not logged in?
Any suggestions would be very helpful.
The issue only showed up when the application was running as a service and the service account was not logged in. The issue I think was related to a double hop but where I'm not exactly sure. I was able to work around the issue by changing the identify for the DCOM object to use the specific service account's credentials.
My target site needs AD auth to browse and use the admin portal. All is fine there. This means syncing to this server via username and password authentication doesn't work. Does this mean i need to enable x.509 authentication?
If you mean using the Staging Module, the staging module's "Username and password" really is not linked to the actual CMS Users. You can put whatever Username and Password on the Destination server, and connect to it from the Source.
x.509 is also fine.
Tell me if you aren't talking about the Staging Module though.
You may need to do 1 of 2 things:
Enable mixed mode authentication. Yes the overall authentication doesn't need to use a physical cms_user user but since you have AD Authentication enabled, anytime another user or service tries to access a system page it may require them to log in.
Create a web.config location node in your /CMSPages/Staging/web.config file that excludes anyone or everyone to access a the SyncServer.asmx page within there.
Otherwise configure the x.509 certificate setup.
I'm current using this sample as my test bed.
IdentityServer3.Samples/source/MembershipReboot/
I've assigned the correct permissions and read several other posts about this problem but I still get access denied.
My IIS app is running under applicationpoolidentity.
I suggest you to use IIS Local instead of Express to have more control with security. I hope you will get success with this following steps:
Install the certificate in the Personal directory of the Current User. (Help)
Assign a dedicated application pool to the IdSrv3 virtual application or website. (Help)
Assign your user as the identity of the dedicated application pool. (Help)
The user that run IIS must have the read rights on the certificates store where you put it. ApplicationPoolIdentity does not have this rights.