Unable to give the permission 'chg' to the SYSTEM.AUTH.DATA.QUEUE. We tried giving using setmqaut with mqm super user access but no luck! Currently it is flooding our AMQERR* error logs. Need your help on this.
The SYSTEM.AUTH.DATA.QUEUE is very restricted. This is because it holds the data that is your authority rules. You cannot give chg permission to a non-privileged user ID and a privileged user ID already has the ability to change.
IBM Knowledge Center says:-
Authorization data is stored on a local queue called SYSTEM.AUTH.DATA.QUEUE. Access to this queue is restricted to users in the mqm group, and additionally on Windows, to users in the Administrators group, and users logged in with the SYSTEM ID. User access to the queue cannot be changed.
If you need to make a change to this queue (you don't say why), then you can only do it using a privileged user id, e.g. a member of the mqm group.
Related
Can gMSA accounts be used across two trusted domains? Say there is a DomainA which has gMSA account, and security group that is allowed to retrieve password for the gMSA account. And there is a server that belongs to DomainB that is part for DomainA\SecurityGroup.
When running Install-ADServiceAccount, I get:
Install-ADServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
I can retrieve the account from DomainA using Get-ADServiceAccount by specifying -Server parameter. Then pipe that into Install-ADServiceAccount and get above error.
When piping the account to Test-ADServiceAccount I get this:
Test-ADServiceAccount : Object reference not set to an instance of an object.
No, at least not that I've found. I think there's something in the API that makes it send the request for the password to only its own domain's DCs.
I have used gMSA accounts across a domain trust. The gMSA principal needs to be a group in the same domain, but as long as the group is type Domain Local, you can add computers from the other domain as members to that group, and they are then able to retrieve the password successfully.
Anyone who know "What's the least privileges of NetLocalGroupAddMembers?"
Appreciate your helps.
MSDN says:
If you call this function on a domain controller that is running
Active Directory, access is allowed or denied based on the access
control list (ACL) for the securable object. The default ACL permits
only Domain Admins and Account Operators to call this function. On a
member server or workstation, only Administrators and Power Users can
call this function.
This is confirmed by Requirements for Network Management Functions on Active Directory Domain Controllers:
For updates, the default ACL permits only Domain Administrators and
Account Operators to write information. One exception is that users
can change their own password and set the usri*_usr_comment field.
Another exception is that Account Operators cannot modify
administration accounts.
and Requirements for Network Management Functions on Servers and Workstations:
By default, only Administrators and Power Users can write information.
How can I set permission to queue manager/queue channel/queues in IBM mq without specifying the user? i need to give the permission to all the users
On UNIX and Linux systems you can grant permission to all users by granting permission on the special group nobody.
From the Knowledge Center page "Principals and groups"
You can change the authorization in the nobody group to grant access to WebSphere® MQ resources to users without specific authorizations.
I need to be able to store a user's Exchange password so I can use it to perform some task later on, using EWS. I know storing passwords in plain text is a horrid crime, so what options do I have?
In my case, my application will have access to an administrative account that will have the ability to use impersonation to work with users' Calendars. I need to store the password of this admin account so I can use it while authenticating with the Exchange server at a later time. I am not planning on using the EWS Managed API.
I have a user that created a calendar app with similar requirements. By default, an account that has these permissions globally is horrible and not recommended. Impersonation roles were granted by department that required access to the app to reduce risk scope. However if you require this globally, here's what I recommended for mitigating the account/password exposure:
Restrict the accounts functionality to Exchange services only. Features like log on locally and other general domain user privileges are not needed for an EWS service account that only needs mailbox access and impersonation roles. In this case, the account cannot log onto a computer nor can it be used for RDP. This limits exposure for malicious use.
The user/pass can be stored in your applications database and the connection string would also be stored outside of your application, there's a lot here: https://security.stackexchange.com/questions/22817/how-to-encrypt-database-connection-credentials-on-a-web-server and encrypting the password within the database; further reading: http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374
Restrict DB server and management access. This is a larger issue than it should be if the database server is shared between groups. Audit the database server access, and re-restrict if you have too many cooks in the kitchen. The database server should also not be directly accessed by user networks but that may be a larger issue to tackle.
Restrict access to the application. As in, is it available externally or only available inside your perimeter? Either way, the application should also include authentication just to access, using Kerberos or some other SSL auth, make sure the application cannot be used to DoS the EWS services from over-access.
Create a one-off throttling policy on Exchange for this user and assign accordingly to prevent the application from breaking EWS or limiting regular user functionalities. This is something Blackberry admins learned the hard way if they didn't follow recommendations. When BES server wouldn't properly tear down connections, web services would start dropping valid client requests. As such BES had to instruct users to create a one off throttling policy for various Exchange features. I did the same for the user that created my EWS app. And a few times it saved me.
Really it will boil down to good application design and coordinating requirements with the Exchange team.
Don't's:
Don't store the username/password in Apache/IIS pages or the connection string
Don't grant global permissions for the account if you don't have to
Don't allow unauthenticated access to the application and allow unlimited connection times
Hope this helps.
I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm