.net windows authentication - strange issue after user change AD account - windows-authentication

I have a project with windows authentication and everything works fine. The issue i am having is with a specific user that had his AD account changed.
After account change he hasn't be able to log in. Looked into his ad account and everything looks the same as mine.
The strange thing is it worked fine in the localhost. I also haven't made any change to the IIS if that helps.
Any ideas?
Thanks

I had to recycle the pool to create the cache for LSA lookup cache, if you can't recycle the pool you can do the following:
http://support.microsoft.com/kb/946358
Found it here:
IIS Returning Old User Names to my application

Related

Obtaining list of servers where a Group Managed Service Account is installed

I have a whole bunch of GMSA used throughout my org. I'm able to see through AD what machines have permissions to install the GMSA but cannot find a way to see what machines have actually gone through the Install-ADServiceAccount step to actually have the GMSA installed.
An older post How can I see if a Groupmanaged Service Account is installed with Install-ADServiceaccount? suggests usingGet-ADServiceAccount and checking the HostComputers property but I only see this populated for MSA. For GMSA it's blank.
Any ideas on how I can get this without needing to connect to each machine and running Test-ADServiceAccount for each permitted GMSA? (especially given the whole PSRemoting and network access that causes problems) A WMI/CIM query I could run would be second to actually getting the data centrally from AD.
Thanks for any help.

TF400813: The user '' is not authorized to access this resource

I have my own private organization and repositories.
I also have multiple directories and all of them work except for the "Microsoft account" directory.
I am able to log into Azure Devops no problem using the Microsoft account directory.
I see my organization and I can go through my repositories, agents, pipelines, everything.
However, I can't change anything. All I get is the error or screens that don't load fully.
Its like its in read only mode.
I went into user settings to check permissions and it lets me in but only so far. It stops loading user lists after selecting groups.
It shows me groups and permissions for everything, however.
When I try and generate a PAT, the screen sits there and says "Loading Tokens..."
The error I see everywhere and in the network responses is:
$id: "1"
innerException: null
message: "TF400813: The user '' is not authorized to access this resource."
typeName: "Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server"
typeKey: "UnauthorizedRequestException"
errorCode: 0
eventId: 3000
Exactly like that, nothing there between the quotes.
It also shows up in Red text with just this message:
TF400813: The user '' is not authorized to access this resource.
To resolve this I have done the following:
Logged out of devops entirely, which seems to log me out of several services.
Switched between my AD accounts while logged in.
I've rebooted my machine(I first started seeing this in VS so I updated and rebooted as part of that)
Anything I'm missing here?
message: "TF400813: The user '' is not authorized to access this
resource.
This looks more like the anonymous access error as you said that there's nothing between the quotes.
In azure devops, e.g PAT generated, most services have themselves security module. When user want to make use of them, it must pass the firstly identity check. If for system, your visit and operate are identified as anonymous, it will look like read-only.
We ever handled such issue and found it due to the proxy blocking the traffic, which also lead him to get the same error when accessing azure devops with vscode.(Similar with yours)
You need confirm is there any proxy configured in your side.
If there's no proxy set but still has this issue. Since Stackflow is a open forum but this is a identity issue. I strongly suggest you contact here and then attach below info also:
Activity id: You could see this from the Headers of Network. For our backend, we could use this id to check the exactly stack
trace.
Org name and account name.
Fiddler trace. The mostly useful info we need is fiddler trace.
I tried a few options like setting the PAT in interactive screen or via environment variable or by storing it in a file and echoing that file content to the az devops login or az pipeline create command as mentioned in
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&viewFallbackFrom=vsts&tabs=preview-page#create-personal-access-tokens-to-authenticate-access
However none of them worked. Finally it worked after I changed the token (PAT) in the file
/home//.azure/azuredevops/personalaccesstoken.
Try to sign out and the sign in again,
it's worked for me.

Keycloak role-ldap-mapper sync

I am struggling with the keycloak role-ldap-mapper. We have an Active Directory Service internally where Users can ask for roles. Roles are assigned/removed by another tool and saved into the memberOf Attribute in AD.
Keycloak imports the roles correctly at the users first login, but somehow when the user is already there, roles are updated in AD, they are not synchronized to Keycloak. I just want roles to be synchronized regularly from AD to Keycloak, not the other way around (I am not supposed to write into the AD).
Is it a Bug? Works as Designed, or am I configuring something in the wrong way?
I am running 2 instances, Version 3.1.0 and 3.4.1.
I already played around with the LDAP - periodic synchronize changed/full feature but no success.
Do I have to specify the memberOf Attribute somehow specifically to be synchronized?
Thx for help.
Solution found:
I have updated Keycloak to the newest Version (3.4.3). Now it works for me. Seems to be an issue in the previous versions.

Kentico 9 sync 401 when target is AD auth

How can I avoid the 401 error, access denied, when i try to preform sync from one environment to another? I think there is an edit to the web.config that will allow this, but I am not sure what I need. I came across the same question in DevNet, but there wasn't an answer. https://devnet.kentico.com/questions/content-staging-windows-authentication-problem.
I got this to work. Sync points to /CMSPages/Staging/SyncServer.asmx. In IIS, I adjusted the Authentication on CMSPages. I enabled Anonymous, and disabled Windows Auth.
I did this on my DEV instance, and i'm syncing from PROD. So far, so good.
Did you set up the Staging user / credentials properly on the target and set them properly on the source site?
Is staging enabled on the target server?
Does both environments have Full Access/Control with their app pool processor?
Is it only some tasks or all tasks that you get this?
Is basic authentication also allowed on the sites (may be needed, but unsure on that)

How can I add a service account to IIS8?

Actually I need to access to another folder at different server at the same network. I am planing to generate a kind of active directory user to work with the web server and my data server. How can I add it to my IIS 8?
I can't find any link to add access to Authentication section at IIS.
appreciate any help.
Ok I found solution! Simple as few click!!!
you can do it with following my Guid:
Select Application Pool at IIS8
Right click on the related pool and select advanced Setting
Find Identity under Process Model section
Set your credential at Custom account section.
it is done and don't forget to recycle the application pool and restart your web services.