Kentico 9 sync 401 when target is AD auth - web-config

How can I avoid the 401 error, access denied, when i try to preform sync from one environment to another? I think there is an edit to the web.config that will allow this, but I am not sure what I need. I came across the same question in DevNet, but there wasn't an answer. https://devnet.kentico.com/questions/content-staging-windows-authentication-problem.

I got this to work. Sync points to /CMSPages/Staging/SyncServer.asmx. In IIS, I adjusted the Authentication on CMSPages. I enabled Anonymous, and disabled Windows Auth.
I did this on my DEV instance, and i'm syncing from PROD. So far, so good.

Did you set up the Staging user / credentials properly on the target and set them properly on the source site?
Is staging enabled on the target server?
Does both environments have Full Access/Control with their app pool processor?
Is it only some tasks or all tasks that you get this?
Is basic authentication also allowed on the sites (may be needed, but unsure on that)

Related

Issues Changing Azure DevOps Project Level Service Connection Security Users/Roles

As the Azure DevOps admin at my organization I want to automate our standards for Service Connection security--but I'm at a standstill because I can't seem to make straight forward changes to Project level Service Connection security manually via the ADO web portal.
Specifically, if I go to an ADO Project, go to Service Connections under Project Settings, and open up the Security page for it, I see a number of "Assigned" groups, each of which I can change and save the Role of (i.e. to Administrator, Creator, Reader, or User). All's fine and dandy there. However, if I "+Add" a user/group, it defaults to "Inherited" Access and when I change and save to a role other than the original one I added it with, the changes don't take. Likewise, there's no way to remove any user/group that's been added.
Has anyone else run into this issue? And if so what's the solution? And why are new users at the project level being marked as "inherited" and if they're inheriting from somewhere, from where?
Tried adding a new user at the ADO Project Service Connection Security level. Tried changing user Role. Changes don't take. Can't remove user.

How can I give server access to my Developer?

I am have AWS EC2 Server with my App Backend and Database there.
My new developer needs to upload few things in the Database and update Backend code but I don't want to give him the PEM.
He needs to SSH
Whats the best possible way to do it? I was thinking of creating an IAM User for him - but I only want him to give SSH Access, so permission would that be? I could only find a general full permission EC2 which would also give him permission to edit the Security Group and things like that.
I do trust him well, but I just don't want to give him full access in general.
What can I do?
Why not allow your developer to connect using session manager.
If you use this he can access the environment either in his browser or via the AWS CLI.
He should be able to mimic a regular session but without having the key, then when he's done you remove the permissions of the server. You can also enable logging to check the history of his sessions actions.
If you want to update code you should at some point take a look at using code deploy to have the code automatically rolled out without even accessing the server.

TF400813: The user '' is not authorized to access this resource

I have my own private organization and repositories.
I also have multiple directories and all of them work except for the "Microsoft account" directory.
I am able to log into Azure Devops no problem using the Microsoft account directory.
I see my organization and I can go through my repositories, agents, pipelines, everything.
However, I can't change anything. All I get is the error or screens that don't load fully.
Its like its in read only mode.
I went into user settings to check permissions and it lets me in but only so far. It stops loading user lists after selecting groups.
It shows me groups and permissions for everything, however.
When I try and generate a PAT, the screen sits there and says "Loading Tokens..."
The error I see everywhere and in the network responses is:
$id: "1"
innerException: null
message: "TF400813: The user '' is not authorized to access this resource."
typeName: "Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server"
typeKey: "UnauthorizedRequestException"
errorCode: 0
eventId: 3000
Exactly like that, nothing there between the quotes.
It also shows up in Red text with just this message:
TF400813: The user '' is not authorized to access this resource.
To resolve this I have done the following:
Logged out of devops entirely, which seems to log me out of several services.
Switched between my AD accounts while logged in.
I've rebooted my machine(I first started seeing this in VS so I updated and rebooted as part of that)
Anything I'm missing here?
message: "TF400813: The user '' is not authorized to access this
resource.
This looks more like the anonymous access error as you said that there's nothing between the quotes.
In azure devops, e.g PAT generated, most services have themselves security module. When user want to make use of them, it must pass the firstly identity check. If for system, your visit and operate are identified as anonymous, it will look like read-only.
We ever handled such issue and found it due to the proxy blocking the traffic, which also lead him to get the same error when accessing azure devops with vscode.(Similar with yours)
You need confirm is there any proxy configured in your side.
If there's no proxy set but still has this issue. Since Stackflow is a open forum but this is a identity issue. I strongly suggest you contact here and then attach below info also:
Activity id: You could see this from the Headers of Network. For our backend, we could use this id to check the exactly stack
trace.
Org name and account name.
Fiddler trace. The mostly useful info we need is fiddler trace.
I tried a few options like setting the PAT in interactive screen or via environment variable or by storing it in a file and echoing that file content to the az devops login or az pipeline create command as mentioned in
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&viewFallbackFrom=vsts&tabs=preview-page#create-personal-access-tokens-to-authenticate-access
However none of them worked. Finally it worked after I changed the token (PAT) in the file
/home//.azure/azuredevops/personalaccesstoken.
Try to sign out and the sign in again,
it's worked for me.

Tyring to run VSTS agent thru a proxy which limits sites

Have installed VSTS agent in a very locked down environment. It makes a connection to VSTS, gets job but fails when downloading artefact. Gives error
Error: in getBuild, so retrying => retries pending : 4.
It retries 4 times and fails.
The agent is going thru a proxy. Have setup the proxy using ./config --proxyurl and also set HTTP_PROXY AND HTTPS_PROXY system environment vars.
The proxy is very limiting in that URLS are locked down, there is no authentication required. Does anybody know what URLs the agent accesses? Am hoping if can get a definitive list this will solve the issue. If anybody knows how can get a list would be great. Or maybe I have misconfigured?
Any ideas?
Tyring to run VSTS agent thru a proxy which limits sites
According to the document
I'm running a firewall and my code is in Azure Repos. What URLs does the agent need to communicate with?:
To ensure your organization works with any existing firewall or IP
restrictions, ensure that dev.azure.com and dev.azure.com are open
and update your allow-listed IPs to include the following IP
addresses, based on your IP version. If you're currently allow-listing
the 13.107.6.183 and 13.107.9.183 IP addresses, leave them in place,
as you don't need to remove them.
And With just the organization's name or ID, you can get its base URL using the global Resource Areas REST API (https://dev.azure.com/_apis/resourceAreas). This API doesn't require authentication and provides information about the location (URL) of the organization as well as the base URL for REST APIs, which can live on different domains.
Please check this document Best practices for working with URLs in Azure DevOps extensions and integrations for some more details.
Hope this helps.

.net windows authentication - strange issue after user change AD account

I have a project with windows authentication and everything works fine. The issue i am having is with a specific user that had his AD account changed.
After account change he hasn't be able to log in. Looked into his ad account and everything looks the same as mine.
The strange thing is it worked fine in the localhost. I also haven't made any change to the IIS if that helps.
Any ideas?
Thanks
I had to recycle the pool to create the cache for LSA lookup cache, if you can't recycle the pool you can do the following:
http://support.microsoft.com/kb/946358
Found it here:
IIS Returning Old User Names to my application