store and get generic credentials with an intranet application - networkcredentials

I developed an Intranet application which needs to realize a "git push" from a local repository (on the disk of the web server) to a remote repository.
I launch the git process from the web server, it runs under the IIS pool identity which is a domain account member of the administrators group of the web server machine.
Git needs the user credentials to perform the push action. I integrated a custom version of git-credential-winstore. This program uses the Windows Credential Manager to store generic credentials for a web site. But when the call to the credential's write occurs, I get the error :
Failed to write credential: A specified logon session does not exist. It may already have been terminated
I checked the policy "Network access: Do not allow storage of passwords and credentials for network authentication", it is disabled.
What goes wrong here ?

Pool account needs to gain access to its user profile.
So we need to connect one time to a Windows Session to create user profile (I think it's necessary). Next in the Advanced Settings of the dedicated Application Pool, set "Load User Profile" = true.
Note about credentials : Windows credential target must be changed to manage different users in the same Windows vault. I change "git:https://remote-host" by "git_USERID:https://remote-host".

I set this property to enabled and it works now, maybe it will work for you also:

Related

How to fix git error "Failed to enumerate credentials. [0x520]"

I'm using git over ssh on a remote machine that is running Windows 10. When I try to do a git pull, I get the error message in the title after entering my credentials.
Fixed by installing the latest version of git credential manager on chocolatey (not sure if this is necessary) and switching my git credential store to dpapi.
See https://github.com/GitCredentialManager/git-credential-manager/blob/main/docs/credstores.md#dpapi-protected-files for instructions on how to do so.
This could be illustrated by GitCredentialManager/git-credential-manager issue 325
The error you're seeing is related to the way that Windows handles "logon sessions" and "credential sets".
GCM Core uses the Windows Credential Manager (wincred.h) to store credentials safely on Windows.
We interact with wincred via the Windows APIs: CredRead, CredWrite, CredDelete, and CredEnumerate.
The error being returned in your case here is ERROR_NO_SUCH_LOGON_SESSION (0x520) which means:
The logon session does not exist or there is no credential set associated with this logon session.
Network logon sessions do not have an associated credential set.
The key part here is in bold.
When you connect via SSH, the sshd daemon/Windows service is running as the NT AUTHORITY\NETWORK SERVICE account (most likely/by default), which creates network logon sessions when an SSH client connects.
From some searching online, one workaround posted is to change the account that sshd runs as to be your real user, which would then have an associated credential set. Your milage may vary here depending on setup.
If you try to use the built-in cmdkey command for interacting credentials stores in the Windows Credential Manager, you'll see similar errors or messages like "saved for this login only".
Upgrading to the latest version of GCM comes with:
With the latest GCM Core release (v2.0.567) there is support on Windows to use a different credential store other than the Windows Credential Manager that shouldn't have the same remote-session limitations.
You can read more about the different options here: https://aka.ms/gcmcore-credstores
The specific store that may help this SSH scenario is the DPAPI-protected file store.
Credentials are protected using Windows DPAPI encryption (based on your current user account) and are written to files on disk (configurable; defaults to %USERPROFILE%\.gcm\dpapi_store).

Start Process within Windows Container as a domain user

I have a Windows 2019 container started with a valid CredentialSpec from a valid working gMSA account. It currently hosts a .NET 4.x application on IIS with Windows Authentication working just great. I can also execute nltest commands successfully and communicate to the domain controller.
I want to run a Job or Process as a domain user (MyDomain\UserABC). All of my attempts have failed:
Execute start-process with a credential object errors out with:
he security database on the server does not have a computer account for this workstation trust relationship.
Using a scheduled job as NT AUTHORITY\NetworkService fails to access the web because it is not using the gMSA credentials but the Network Service credentials.
Create a scheduled job with a Domain User results in the same error as above:
he security database on the server does not have a computer account for this workstation trust relationship.
Any other ideas?
Sounds like cached credentials. Maybe you can take a look on this link:
Site single Domain

Serve file from FSx to IIS

I've got EC2 instance with IIS and mapped FSx file system on AWS. All in one VPC in one subnet.
IIS config works perfectly as long as it's configured with local drive. When I change config to use path from that mapped FSx I've got an error. Even for just a test static page.
All current users have full access to those files. Do I need to set up any special users for IIS on Domain Controller? Any special permissions? I would appreciate any ideas...
First of all, you need to figure out the substatus code of your IIS server and detailed error message. So please enable IIS detailed error message for your website.
I assume this issue happened just because your identity don't have permission to access configuration file.
1.Please Ensure your IIS site->basic settings->connect as..->set your domain account that have permission to accessyour FSX
2.Please set your application pool identity to your domain account that have access to the FSx.
3.Please grant permission for that application pool account.
4.Please set your authentication user to use application pool identity. For example, if you are using anonymous authentication. Then go to->anonymous authentication->edit..->Application pool identity.
If you don't know how to troubleshooting this issue. Prcoss monitor would help.
You only have to create a filter "RESULT=Access denied & Processname="w3wp.exe".
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
SOLTUION: you can not use the drive letter must be full DNS name for fsx console \DNS_NAME\share
I am having this exact issue. Drive is available on ec2 instance but authorization in IIS fails. Browse directory from IIS workd but can not get authorization to pass test. I have tried admin on EC2 and admin on active directory as users in IIS virtual drive.
It seems that you need to configure the IIS application pool identity to use a domain account that has access to the FSx file system. By default, the application pool identity is a local account that does not have any permissions on the network share.
To change the application pool identity, follow these steps:
Open IIS Manager and select the application pool that hosts your website.
Click on Advanced Settings in the Actions pane.
Under Process Model, click on Identity and then on the ellipsis (...) button.
Select Custom account and enter the domain user name and password that has access to the FSx file system. Click OK to save the changes.
Restart the application pool and the website.
Alternatively, you can use the command line tool appcmd.exe to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
appcmd.exe set config /section:applicationPools /[name='DefaultAppPool'].processModel.identityType:SpecificUser /[name='DefaultAppPool'].processModel.userName:domain\user /[name='DefaultAppPool'].processModel.password:password
You can also use PowerShell to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
Import-Module WebAdministration
Set-ItemProperty IIS:\AppPools\DefaultAppPool -Name processModel -Value #{identityType="SpecificUser";userName="domain\user";password="password"}
For more information, see this article on how to access FSx file shares from IIS.

VB6: How to connect to a network shared folder, without providing credentials using

I want to connect to a network share path '\domainname\folder-name' using domain account, without passing credentials, through my VB6 code.
My legacy VB6 application service (running on server A) currently accesses shared folder (on server B) using local account credentials(stored in encrypted .ini file). This service is running on behalf of 'LocalSystem'.
application is using 'WNetUseConnection' API to connect to shared folder.
To ensure security local account needs to be replaced by 'domain account' and password policy should be CyberArk dynamic password.
Now this credentials can't be stored in .ini file anymore. The idea that I am working on is to get service running on behalf of 'domain account' rather 'LocalSystem'. My thought is if i make service run on behalf of 'domain account, and give relevant permissions to this account on shared folder. Shared path should be accessible to service without providing credentials.
I need help to understand which API shall I use.
The API(s) you'll need for this is WNetAddConnection.
See this example.

Windows 2003 Standard IIS Remote Admin - Can't login

I have just installed Windows Server 2003 Standard Edition and therefore IIS6 (comes as standard). I have also install the windows component that enable the administration of IIS from the browser (https://server:8098/). The problem I have is that I have to log-in to this tool but the Server Administrator u/name and p/word does not let me in.
The Windows documentation on this tool (http://support.microsoft.com/kb/324282) says "You are prompted for a user name and password that exist on the Web Server" but none of the standard user acounts on the server let me in.
Thanks,
Here are a couple ideas:
Take a look at the security log on the server for clues.
Look at the "Directory Security" tab on the properties of the admin site and ensure "Enable anonymous access" is unchecked. You will need to use "Integrated Windows authentication" or "Basic authentication". If you use Basic auth then the password is sent across then network base64 encoded - you will want to use SSL to encrypt it.
Is there a specific requirement to use the web tools? You can download Internet Information Services (IIS) 6.0 Manager for Windows XP from Microsoft and run it from a client.
I'm not so sure now, haven't set up a Win 2003 box in a while but as far as I remember you have to activate remote desktop first and then you can use a RDP client to access the server. I recommend that over the ActiveX RDP client.
Is the server part of a domain? It may be defaulting to a domain username/password combo rather than a local username/password.
Try "server.domain.local\administrator" or "administrator#server.domain.local".
I would check the permissions on that site in IIS - make sure you are using an account that is a member of a group specifically assigned permissions. I understand that the builtin admin account is not working but its possible the site permissions have changed removing that account or group. - hope that makes some sort of sense
This might be unlikely, but are you trying to use a username that has a blank password? Windows restricts remote access when using those accounts.
If that's the case, you can check the Group Policy (gpedit.msc for local computer, or the one for domains if it's in a domain.):
Computer Configuration
Windows Settings
Security Settings
Local Policies
Accounts: Limit local account use of blank passwords to console logon only

Resources