I have a com+ application that when I connect to the machine and start the application, it works without issue. It is set with a run identity that is a service account with a non-expiring password.
I have another application (running as a service) that calls the COM+ application is set to run as the same service account. When I invoke the commands I need while logged in to machine that is running the service (the one that calls the COM+ application) it works without issue.
If I log out of the machine running the service and monitor the process that is running, I get the following error:
The server process could not be started because the configured identity is incorrect. Check the username and password.
I'm trying to find out if there is a group policy that might be interfering here. Everything works fine when I'm logged in, but when I log out, the service continues to run but fails to call the COM+ application. I know there are AD policies that prevent services from running when the account is not logged in, but are there any that would prevent the COM+ application from starting when called from a service that is running as a user that is not logged in?
Any suggestions would be very helpful.
The issue only showed up when the application was running as a service and the service account was not logged in. The issue I think was related to a double hop but where I'm not exactly sure. I was able to work around the issue by changing the identify for the DCOM object to use the specific service account's credentials.
Related
We had a working standalone cluster (ServiceFabric_7_2_457_9590).
After migrating to the new domain forest, we ran into a problem.
Factory starts up with no problems, but when we try to install an application, an error occurs:
Error getting user account information for [domain\username]: status=5, error=E_ACCESSDENIED
There seem to be some blocks, possibly related to some global policies. But I have no idea where to look.
One other thing, a new account was created in the new domain to run the applications.
It's very similar to Microservice's, Kerberos security and AD forest permissions #748 or this Service Fabric requirements to RunAs a domain user. But unfortunately we cannot rebuild the domain from scratch :(
We tried to install the factory from scratch, but it did not bring a positive result
Whenever I try to open process definition in drools , Getting the Below Error
Invalid credentials to load data from remote server. Contact your system administrator.
I have given all permissions to role permission to user but still this error shows up.
While many details from your problem are not clear, here is the bottom line of this issue.
You are logging into the business-central with user 'nithish'. This user, will be used in the remote REST requests to your kie server instance. This means that user 'nithish' needs to exists on the kie-server side as well - otherwise kie-server will not recognise that user, thus authentication will fail. He needs to be created there with the same password and same roles as are present on the business-central side. I would advise at least
kie-server, rest-all,admin
roles.
The server you've installed your business central on has no access rights.
Am trying to run my Service Fabric application in my local cluster to run as a different user. Use case is am trying to connect to my on prem database, but since n/w service accounts don't have access, i need to run my SF as logged in user. I've followed the below url exactly, as Admin user & domain user, but no luck.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security
Am getting the below error in eventviewer.
"Error getting user account information for domain\user:AccessDenied"
"SetupSecurityPrincipals failed with ApplicationPrincipalAbortable Error"
How else can i run my SF as logged in user?
I was able to accomplish this by running 'Service Fabric Host Service' in services as logged in user(instead of local account). Along with this the Integrated Security = SSPI needs to be in the appsettings.json.
I'm struggling around and hope you can help me.
Scenario:
I wrote a web application on a test server and all works fine. I moved the finished application to the live system and I receive a HTTP 401 error if windows authentication is enabled on IIS. I solved this problem by setting an SPN on server name e.g.
setspn -a http/contoso contoso
But it needs to work with my service account.
I set spn for service account like:
setspn -a http/contoso.com mydomain\serviceaccount
setspn -a http/contoso mydomain\serviceaccount
Application pool is running as mydomain\serviceaccount. The Kerberos Delegation is set for this account in Active Directory. But still get a 401 error. For testing purposes, the service account has the Administrator role on this server.
This looks like a duplicate SPN issue. I believe you have done all the right things by adding SPN's for service account but there is one more step in IIS that you need to take to ensure that the application pool credentials are actually being used.
Click on the website and in the center panel, click on configuration editor. Navigate to "system.webServer/security/authentication/windowsAuthentication" and here set "useAppPoolCredentials" to true and "UsekernelMode" to false.
Follow this article for more info - https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Scenario:
I have a console application that needs to access a network share with read/write permissions.
There is no problems when run it manually.
The problem:
When I add this application as a job in my quartz.net server, it cannot access the share. I do not have access to change permissions on the network share, so basically I need my quartz job or if necessary my quartz server to run jobs as me (or as a user that has the proper permissions).
Any ideas in how to accomplish this?
Thanks
You need to change the user that the service is ran with (so this actually isn't a Quartz.NET issue). Open service properties in services and change the user from SYSTEM or NETWORK SERVICE to some named user account that has proper rights to the network share.
You can also use impersonation to change the user you're running as on the fly.