I have a different login name in the server than the local machine login name. But correct login name shows in krendentials.
When I click on get new credential action, I am getting "Unable to run aklog". What could be the reason?
If you are not using AFS, then you can disable running aklog in kredentials' popup menu (available in kredentials 2.0-pre3 or later, released in January 2012).
Related
This question follows an audit on my AD where Windows servers with very old PasswordLastSet attributes have been discovered.
I'm familiar with using the Pwd-last-set attribute in order to check when an AD user has last changed his password. But what does this attribute mean when talking about a computer-type object like a laptop or a windows server ?
The Microsoft documentation states it is "The date and time that the password for this account was last changed". I don't think this means the local administrator of the computer, since I've clearly not changed mine at the date my Pwd-last-set attribute indicates.
Finally, if it isn't the local administrator nor my account, how can I set a new password that will refresh the attribute ?
EDIT
So the password is actually the Machine Account password used for communication between the computer/server and the DC
It's supposed to be renewed every 30 days on default Windows settings through the following registery key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
I still don't have a way to easily force the renew of this password but found some leads :
Put the MaximumPasswordAge in the registery to a low number and restart the machine
Use the "Reset Account" options when right-clicking the object in the active directory -> What are the consequences for a server ?
Use the Reset-ComputerMachinePassword Powershell command -> What are the consequences for a server ?
I have a WebApi (.Net Core 2, Windows Authentication) endpoint that I can successfully call from many combinations of PS/Windows versions:
Invoke-RestMethod -Uri https://<fqdn>/api/notification -UseDefaultCredentials
But when I run it locally on the server hosting the web application (using same AD account) it fails to authenticate. IIS logs for requests from other computers show the user account making the request, but the local requests show empty value for that field.
PS error:
HTTP Error 401.1 - Unauthorized You do not have permission to view
this directory or page using the credentials that you supplied.
IIS log entry:
2018-06-12 21:42:31 GET /api/notification - 443 -
Mozilla/5.0+(Windows+NT;+Windows+NT+6.3;+en-US)+WindowsPowerShell/5.1.14409.1012
- 401 1 3221225581 0
An entry from any other machine besides the local server would have the DOMAIN\User after the port number and would be successful.
Disable strict name checking. The following is a summary from the article:
https://www.andrewcbancroft.com/2016/01/21/401-unauthorized-browsing-site-from-local-iis-instance/
Steps...
Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, refer to article 281308 in the Microsoft Knowledge Base.
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service. (to do this, I ran iisreset from a Powershell prompt)
I have set up JBoss Fuse, created a fabric and installed the fabric:web feature as explained in the resource Using the Management Console. I can browse http://hostName:8181 and it shows the Management Console login screen.
However, whichever user/pass combination I try, the response is "Failed to log in, Forbidden". It also shows an icon with an exclamation mark, when I click that I see the following messages appear:
[Branding] enabled branding
[Core] Management Console started
That does not help much either. How do I know what login combination I should use? It is not clear to me what I am logging into in the first place.
In your fuse install folder under /etc there is a file called user.properties. Is the user admin with password admin filled in? If not, then at least admin user should be allowed.
If yes, try simply restarting the server. I am not sure why buy that has helped in some cases for me. Do a osgi:shutdown and then start it again.
Have you tried admin/admin?
I believe those are the default credentials.
We Use IBM Personal Communications iSeries Access for Windows version 6.0. When you launch the program you initially get a Log on Prompt that lets you enter a server, user name and password.
It then gives you the log on screen to the server itself and you have to log on a second time. Between the two log ons I'm trying to work out a "Startup Macro"
I don't have anything in it right now because I cannot figure out how to get ONE particular value from the Session, the USER NAME.
I can get the screen title, session name, macro name, but I can NOT for the life of me figure out how to get the user name. I've tried every possible combination of strings and "variable" names I can think of, and nothing.
I've searched the web and all I can ever find is how to record and auto logon to the green screen which is not what I want.
To be clear I just need the Username used to logon to the Personal Communications iSeries Access for Windows program, pre green-screen logon.
It's important to note that IBM i Access for Windows is much more than just the 5250 emulator. There's an ODBC driver, a printer emulator, AFP printer drivers and the graphical Navigator for i. That IBM i signon popup doesn't come from the 5250 emulator. It comes from a lower level IBM i Access for Windows process. Try it yourself. Reboot the PC. Don't start the emulator. DO start IBM i Navigator for Windows. You'll get the signon popup.
It looks like you are trying to automate a 'no signon' signon. The user name is probably stored in the registry, depending on the version of Windows you are using and the version of IBM i Access for Windows. Windows 7: Start > All Programs > IBM i Access for Windows > IBM I Access for Windows Properties Choose the Administration System tab and you'll see the server and user. HKCU > Software > IBM > Client Access Express > CurrentVersion > AS400 Operations Navigator > Application Administration > CurrentAdminSysUser > My Connections
I think, for this, you need to get into the ActiveX Control that comes with iSeries Access. This little code C# snippet should work:
AS400System sys1 = new AS400System();
sys1.Define("mySystemNameHere");
if (sys1.IsConnected(cwbcoServiceEnum.cwbcoServiceAny) != 1)
{
sys1.Connect(cwbcoServiceEnum.cwbcoServiceTelnet);
}
String user = sys1.UserID;
sys1.Disconnect(cwbcoServiceEnum.cwbcoServiceAll);
You'll need to find cwbx.dll and add it as a reference to your project.
If the user is already connected from another application, no dialog will appear. The program will connect, get the connected user id, and then disconnect. If the user has never connected since logging in, then a logon dialog will appear.
Having a tough time with this issue. Not sure how but my ApplicationPoolIdentity is broken.
Currently I'm running IIS 8 on Windows 8 with Visual Studio 2012. When trying to debug an application from Visual Studio, or just navigating to the site in a browser I get the following error logged and a 503 error.
Application pool 'DefaultAppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
If I check out the Application error logs, I find the following error from the User Profile Service.
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - The system cannot find the path specified.
Upon looking into the details I find that the User Profile Service is trying to load up a profile with the Id
S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
Now I opened up the registry to try and find the profile with that UserId. However there's nothing in the Profile list that helps.
So digging around a little more I've found that this issue can be resolved by either
A) Set the Load User Profile of the Application Pool to false.
B) Use a different account for the application pool.
C) Fix the account.
Seeing how this is the built in account, I'd prefer to fix the issue rather than fix the sympton.
What I have tried
aspnet_regiis -i
Removing IIS from windows and reinstalling.
Attempted to follow the guide here but I don't know the account password :P
My hunch
Somehow the ApplicationPoolIdentity got messed up. Is there any physical folders for the built-in accounts? I know that the Network and Local service profiles physical directories exist at C:\Windows\ServiceProfiles\. It is possible to recreate the ApplicationPoolIdentity profile? Or am I way off on what the real issue is?
C) Here is what i did to fix the account
Go in regedit at key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There is a setting called "Default". You have to make sure that the data value point to an existing directory on the drive.
By default it contains "%SystemDrive%\Users\Default". In my company the default is changed to a custom profile. Somehow, someone deleted that user profile. So when the defaultAppPool user tryed to create an accound for himself, it was unable to do so because windows cannot provide him with a default user profile.
You can also diagnose this error when looking at the Event Viewer under the Application folder. You will get a message of that type:
Windows cannot find the local profile and is logging you on with a
temporary profile. changes you make to this profile will be lost when
you log off.