I'm trying to change the system proxy settings with authentication. The system proxy can be changed successfully, but when my App relaunched, the auhorizating dialog(requiring username and password) always pop up.
How can I authorize once and for all?
I have a demo App with source codes on GitHub: https://github.com/codinn/SystemProxySettingsDemo
details:
Demo App description
A demo for changing system proxy settings.
Problem
After click “Enable System Proxy”, a dialog for requesting auhorization will be popped up, and subsequent clicks won't popup again, which is fine.
But if we Quit and Relaunch the app, the auhorizating dialog will be popped up again.
How can we authorize once and for all?
Steps to Reproduce
Launch demo app “SystemProxySettingsDemo”
Click “Enable System Proxy” button, the auhorizating dialog will be popped up
The SOCKS proxy setting in system network preferences will be changed to host: 127.0.0.1, port: 8888
Click “Disable System Proxy” button to clear system network preferences proxy
Quit the app, and launch it again
Click “Enable System Proxy” button, the auhorizating dialog will be popped up, again
References
GitHub repository: https://github.com/codinn/SystemProxySettingsDemo
Apple official sample: https://developer.apple.com/library/content/samplecode/EvenBetterAuthorizationSample/Introduction/Intro.html
File “ViewController.swift”: Creating an authorization reference, Requesting Authorization, System Network Preferences Proxy settings.
Function define:
// requesting authorization with “AuthorizationCopyRights”
// set system network preferences proxy with “SCPreferencesCreateWithAuthorization” and “SCPreferencesPathSetValue”
func socksProxySet(enabled: Bool)`
4. File “CommonAuthorization.swift”: set / get authorization policy database entries
5. File “codinnDemoRightRemove.sh”: clear policy database entries belongs to demo app
Other Notes:
I've tried storing the Authorization Rights to the policy database with “AuthorizationRightSet” (setting policy database rule attribute “timeout” as 0, or 3600, or remove the attribute “timeout”), but it does not work
Also tried using "kAuthorizationRuleClassAllow" or "kAuthorizationRuleAuthenticateAsAdmin" as value for parameter "rightDefinition" of function "AuthorizationRightSet", but it does not work either
The best way to maintain a persistent authorisation to change these settings is to create a launchd daemon that runs as root. Such a daemon can change System Configuration preferences at any time without further authorisation.
Apple sample referrnce: EvenBetterAuthorizationSample
Related
I'm trying to edit the "Security role to user/group mapping" in WebSphere 8.0. I want to set the Role 'User' to be 'All authenticated in application realm' but there is no save button. So when I reload the page where you can edit this, it's the same as before. Am I doing something wrong?
This issue is very common if you deploy your application directly from Eclipse/RAD to WebSphere.
In the Servers view, double click your WebSphere server and in Publishing settings uncheck the Minimize application files copied to the server option.
Restart the server and reinstall application. The OK button will be there. :-)
Here are some more details No confirmation when saving Shared Libraries within WebSphere Test Environment. Although it says about Shared Libraries and WAS v7, same applies to v8 and role mapping.
Please check that the admin console user is authorized to make changes to the application? Are you logged in to admin console as Administrator? You should see option to click on "OK". When you click "OK", you will have an option to save the configuration.
I have a squid proxy server with basic SQL db authentication. When setting it on a client machine, the user is prompted with a dialog that asks for the username/password.
When they are entered and the save box is checked, the prompt no longer appears in IE but chrome asks every time it is started.
My question - is it possible to preconfigure the username/password in registry or somewhere else? I have tried the
http://username:password#server:port
and variations of it with no success. When that string is entered the browsers ignore it completely and proceed with no proxy.
I looked into setting up ntlm on squid but it seems that if the client is on a different domain the user will still be prompted.
You can choose the below steps to enforce IE using the same connection during the whole authentication procedure.
Click Start, click Run, type regedit, and then click OK.
Locate and then click either of the following keys in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
On the Edit menu, point to New, and then click DWORD.
Type ReleaseSocketDuring401Auth, and then press ENTER.
On the Edit menu, click Modify.
Type 0, and then click OK.
Microsoft Blog:
http://blogs.msdn.com/b/asiatech/archive/2012/03/28/ie-always-prompts-for-authentication-when-browsing-through-proxy-server.aspx
After looking through the code for building custom credential providers for Windows 7, I managed to get my own tile to show up on the logon screen, and can logon as the desired user. However, I am trying to implement a system where an event (a Bluetooth device in range) triggers a logon/unlock, without needing to click on the tile.
I can set it to fill in the password automatically (maybe I will implement pulling the password from the device), but either way, I must click the tile first. If it is locked, I need to click "Other Credentials" before that, too.
How would I go about implementing the logon credential provider without displaying a tile on the logon screen? It would be nice if I could keep the existing password option focused, and bypass it the moment the device comes in range.
EDIT: I made some progress, but I still think I need to do this without a tile. If I set the *pbAutoLogon parameter to true, and fill in the username and password before that, then the following behavior occurs:
If the default credential is selected (lock/unlock), then I need to click on "other credentials". If I log off, both credentials are displayed by default.
If both credentials are shown, and my provider is enabled after that, then the logon is automatic.
If my provider is enabled first, then "other credentials" is selected, I still need to click on my provider, after which logon is automatic
You need to change your credential settings to log in automatically and then your provider needs to tell LoginUI that the credentials have changed.
One of the sample credential providers supplied by microsoft works in this way.
How do I change who is logged in (allow for another user to login) to an application that is using Windows Authentication without having the PC user log off?
You would be better served to use forms-based auth against AD with impersonation. Pass-through authentication is uneven and introduces a number of issues you don't even want to begin to deal with.
To clarify: Do you want to be logged in to Windows with one account and then be able to view a web site that uses Windows Authentication with a different user?
Maybe you can run the browser under a different account with runas.
Right-click on your browser icon, choose "Run as...", and provide the other user's credentials.
You could prevent IE (I assume) from automatically passing NTLM credentials. But then you'll get a login dialog.
You can change the "automatically login behavior" by doing the following in IE:
Tools -> Internet Options ->
Security tab -> Intranet zone (I
assume)
Then click "Custom level..." and
scroll to the bottom to User
Authentication -> Logon.
Select the "Prompt for user name and
password" option.
FF has similar options by going into "about:config" and change the "network.automatic-ntlm-auth.trusted-uris" setting.
Suppose someone worked for a company that put up an HTTP proxy preventing internet access without password authentication (NTLM, I think). Also suppose that this password rotated on a daily basis, which added very little security, but mostly served to annoy the employees. How would one get started writing a Firefox add-on that automatically entered these rotating passwords?
To clarify: This add-on would not just submit the password; the add-on would programmatically generate it with some knowledge of the password rotation scheme.
This is built into Firefox. Open up about:config, search for 'ntlm'
The setting you're looking for is called network.automatic-ntlm-auth.trusted-uris and accepts a comma-space delimited list of your proxy server uris.
This will make FireFox automatically send hashed copies of your windows password to the proxy, which is disabled by default for obvious reasons. IE can do this automatically because it can use security zones to figure out whether a proxy server is trusted or not.
Blog post discussing this
It's your lucky day - no need for an add-on!
How to configure Firefox for automatic NTLM authentication
In Firefox, type about:config into the address bar and hit enter. You should see a huge list of configuration properties.
Find the setting named network.negotiate-auth.delegation-uris (the easiest way to do this is to type that into the filter box at top).
Double-click this line, and enter the names of all servers for which network authentication is desired, separated by commas. Then press ‘OK’ to confirm.
Find the setting network.negotiate-auth.trusted-uris, and set it to the same value used in #3.
Find the setting network.ntlm.send-lm-response, and set it to true.
Skip steps 7 and 8 if you aren't using a proxy.
Open the options dialog (Tools->Options menu), and on the Advanced page, Network tab, press the Connection Settings button to get the proxy configuration dialog:
Make sure the correct proxy server is configured, and that the same list of servers is listed in the No Proxy for: entryfield as were set in step #3.
Done.