I have two applications in a workspace. 1st application: ID 42 and the 2nd application: ID 142
Now when I switch from one application to the other, I am always asked for the login data. This is annoying for the user.
Now in each of the application under Shared Components - Authentication Schemes - Session Sharing I set the Type to Custom and assigned a Cookie Name. I did this in both applications. Now the user can switch between the applications without entering the password again.
It should be noted that the app ID 42 has two entries: Application Express Authentication and Database - Current where I have enabled session sharing. App ID 142 has only Application Express Authentication.
Now, when a user logs in, he has to change his temporary password and now an error follows that only happens with the session sharing set. If it is not activated, the user can change his password, but must always log in again in every app.
The error message reads:The procedure named null could not be accessed. It may not be declared, or the user executing this request may not have execute permission for the procedure. Check the correct spelling of the procedure and make sure that the calling user has been granted the execute permission
What did I forget to set or does the new password not work with session sharing?
Related
I have problem using default Apex Application Express Authentication. If user has to change password (no matter if developer or end user), you are unable to login in. Instead of password change window i get error "Forbidden The requested operation is not allowed". If password is valid and not expired or not required to change, you can login successfully. Can't find solution for this problem. Using Apex 20.1, oracle 18c (18.0.0.0.0 ).
Accidentally found problem. All applications share same session (Session Sharing set to Workspace Sharing). This prevents user from being able to change password and login if user needs to change it. So I've went easy way. Created another application without session sharing for users, to be able to change password.
The goal is to have a service create a process which has the security context of a user whose password is not known.
I understand and accept the limitation that the new process will only be able to access local resources
I think I am close to a solution. Everything works fine so long as the user to be impersonated is in the local administrators group.
But if not I get an exception 0xc06d007e.
It seems the user to be impersonated lacks some permission or privilege that it has when it is in the administrators group.
But how can I find out what this missing right/permission/privilege is without by trial and error going through the thousands of permutations
get a token for the user to be impersonated
token = new WindowsIdentity("username#domain").Token
create a primary token
token2 = duplicatetokenex(token)
The process to be created is a simple console application and indeed I don't even need a console.
process_creation_flags.DETACHED_PROCESS
| process_creation_flags.CREATE_NO_WINDOW
| process_creation_flags.CREATE_NEW_PROCESS_GROUP
try to start the new process as the impersonated user
createprocessasuser(token2, "myapplication.exe" etc etc)`
As I say this works fine if username#domain is in the local admin group
otherwise I get exception 0xc06d007e I think when the new process is trying to start
As one of the steps towards creating the service, I was running the code as a console application and it was during that stage I was getting the exception mentioned above.
But I found that running the code as a service works fine!!
So I never found out why the user-to-be-impersonated (impersonatee?) needs to be in the local admin group when the impersonation is done from a console application.
I suspect it is something to do with sessions and / or desktops.
I have not found many discussions where the scenario is impersonating a user whose password you do not know. So I just want to re-assure anyone having problems that it is indeed possible and the main points are:
1) run the code as a service (with local system or a user with all the required privileges)
2) get the s4u token from windowsidentity (this will be an impersonation token if the call has the required privileges)
3) create a primary token from the impersonation token using duplicatetokenex
4) createprocessasuser using the token from 3
note the process will only have access to local resources
I have a external facing website (Back end SQL Server and ASP.NET) where I want a feature that if a user from same id is already logged in, and he tries to login again from some other browser or through some other channel, his previous session should be expired.
So for this in which way should I proceed ?
You can store the sessions in a database, by providing a unique session-id every time a user logs in. By storing the session-id also in a session variable you can see when the user is logged in somewhere else.
For example:
User A logs in in Safari on his laptop
Session id is generated and stored in database and session variable
User A browses to different page
Session id in database is compared with session variable
ids match, user is still logged in
User A logs in using Chrome on his phone
Session id is generated and stored (overwriting the previous) in database and session variable
User A browses on his laptop to a new page
Ids do not match, redirect to login page
You can also make this more general by keeping a session table, in order to allow a maximum number of sessions per user. The key is just to use a global storage like a database in combination with the session information to verify where the user logged in last.
There is a Windows app that requires admin rights and this is declared in its manifest. When a restricted user starts it she has to input admin credentials. It's OK and the application works well, but it can't obtain original user folders anymore (ShellAPI returns admin's ones).
Since the application is started under admin initially, there is no point where I can store original user's folder paths to use them later.
Is there a way to get initial restricted user credentials?
Regards,
Because of your manifest, your app is running as an admin user, not the currently logged in restricted user. As David Heffernan mentioned, you should redesign your app to not require the entire app to be run elevated. Delegate your admin tasks to a separate process that runs elevated when needed.
That being said, if you must run your entire app elevated, all is not lost, but you are going to have to do some extra work.
Start by getting the Session ID that your elevated app is running in. You can do that using WTSQuerySessionInformation() with WTS_CURRENT_SESSION, or ProcessIdToSessionId() with GetCurrentProcessId(), or open the current process's token with OpenProcessToken() and then use GetTokenInformation().
Once you have the Session ID, use EnumProcesses(), GetProcessImageFileName() (or equivalent), OpenProcessToken(), and GetTokenInformation() to find the instance of explorer.exe (or whatever the PC's registered shell app is, which you can find in the Registry) that is running in the same Session ID as your app.
When found, you have the user token for that process from OpenProcessToken(). Duplicate it using DuplicateTokenEx() to get its primary token, and then you can use that token with APIs like LoadUserProfile(), SHGetFolderPath() and SHGetKnownFolderPath() as needed.
I am creating a webpage using Azure ACS, or "Windows Azure Active Directory Access Control" as it's also called.
I have managed to get this to work, and upon login I extract the claim information like this:
var identity = Thread.CurrentPrincipal.Identity as Microsoft.IdentityModel.Claims.ClaimsIdentity;
I then store the nameidentifier in a database so I can recognize the user when he logs in again.
Now I want to let the user log in using another identity while he is still logged in with the first one so that I may associate these two claim sets to the one user.
When I direct him to the acs loginpage and he is redirected back after logging in the list of claims in the identity is still the same, it doesn't contain new claims for the new identity he logged in with. Do I have to somehow store an identity in a cookie and log him off before redirecting him to the ACS login page to get the next identity claim information? If not how is this done?
You'll have to implement something like a verification code that will allow you to identify the user and store its various name identifiers.
user logs in
is it a "verified" user, i.e., its name
identifier is associated with a user?
2a. Yes, proceed.
2b. No, ask
for the verification code
2b1. Valid code, associate user with
verification code
2b2. Invalid code, go to 2b
This way multiple identities can be associated with the same user through the verification code.
Hope this helps!