IIS 10 System.Security.Cryptography.CryptographicException: Access denied - identityserver3

I'm current using this sample as my test bed.
IdentityServer3.Samples/source/MembershipReboot/
I've assigned the correct permissions and read several other posts about this problem but I still get access denied.
My IIS app is running under applicationpoolidentity.

I suggest you to use IIS Local instead of Express to have more control with security. I hope you will get success with this following steps:
Install the certificate in the Personal directory of the Current User. (Help)
Assign a dedicated application pool to the IdSrv3 virtual application or website. (Help)
Assign your user as the identity of the dedicated application pool. (Help)
The user that run IIS must have the read rights on the certificates store where you put it. ApplicationPoolIdentity does not have this rights.

Related

Drools Invalid credentials to load data from remote server. Contact your system administrator

Whenever I try to open process definition in drools , Getting the Below Error
Invalid credentials to load data from remote server. Contact your system administrator.
I have given all permissions to role permission to user but still this error shows up.
While many details from your problem are not clear, here is the bottom line of this issue.
You are logging into the business-central with user 'nithish'. This user, will be used in the remote REST requests to your kie server instance. This means that user 'nithish' needs to exists on the kie-server side as well - otherwise kie-server will not recognise that user, thus authentication will fail. He needs to be created there with the same password and same roles as are present on the business-central side. I would advise at least
kie-server, rest-all,admin
roles.
The server you've installed your business central on has no access rights.

Windows Virtual Accounts to run desktop applications

I recently came across an interesting feature of Windows PowerShell JEA (Just Enough Administration) which by default makes use of Windows virtual accounts to run the remote end point in admin context. I also understand these virtual accounts are created ephemeral for that session and get destroyed when the session ends. This also by default has the local admin rights on the machine for that session while the user running the session is a standard user who can carry out privileged operations using that virtual admin account.
This got me into thinking - we have a few apps in our organisation which sadly need local admin rights to run. We are reluctantly granting admin rights for the users of those apps. So I was wondering if there is a way through PowerShell we can create this Virtual account for the duration of however long that application runs? What I am thinking is some sort of wrapper PowerShell which is targeted by the application shortcut which would internally first spin up this virtual account to run that app as? I am assuming we need to configure some sort of one-off constrained custom app-specific JEA endpoint during the installation of the application. Then again, if the app requires the launching user's context to access back-end database etc. I am not sure how that would be taken into account.
I was just wondering if you have any clever thoughts? Thanks, Steve

Kentico sync and AD authentication

My target site needs AD auth to browse and use the admin portal. All is fine there. This means syncing to this server via username and password authentication doesn't work. Does this mean i need to enable x.509 authentication?
If you mean using the Staging Module, the staging module's "Username and password" really is not linked to the actual CMS Users. You can put whatever Username and Password on the Destination server, and connect to it from the Source.
x.509 is also fine.
Tell me if you aren't talking about the Staging Module though.
You may need to do 1 of 2 things:
Enable mixed mode authentication. Yes the overall authentication doesn't need to use a physical cms_user user but since you have AD Authentication enabled, anytime another user or service tries to access a system page it may require them to log in.
Create a web.config location node in your /CMSPages/Staging/web.config file that excludes anyone or everyone to access a the SyncServer.asmx page within there.
Otherwise configure the x.509 certificate setup.

Call Microsoft Graph API - App only unauthorized error

I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:

IIS accessing resources via logged in user and NOT pool identity. How to enforce POOL Identity

I have a classic asp website with following IIS settings:
1. windows authentication is enabled
2. Impersonation is disabled, so are anonymous and basic authentication
3. App pool is .Net 4.0, Integrated pipeline with a custom Process model identity. This identityt is given exclusive full access to unc local and network shares, batch files etc
The asp application
1. displays user information of the user logging intot he web application,
2. accesses the above mentioned shares to display reports,
3. creates reports by calling DLLs which POST to an asp file in this web application (uing webrequest) and get XMl and write the XML to the share.
The issue I am facing is all the above calls are being made on the behalf of the application user instead of the Process Model Identity User in the app pool. Because of this, most of requests throw up Permission denied or 401 errors.
QUESTION: How can we configure the web site so that the calls made can be on behalf of the app pool user only?