Using a server application with C#, how is it supposed to work when accessing users in the same domain if the authentication is only possible using:
OAuth2Authenticator interface?
I'm able to access the admin of the domain's Drive, but I'm missing the 3 legged OAuth in 2.0.
Looking at this description found at this link: https://developers.google.com/drive/delegation
Since this is not executed as a Service, and is not using Google Apps and cannot then
access: https://www.google.com/a/cpanel/mydomain
Also the IP is not known from where the machine running the server-application.
Currently I'm using: "Client ID for installed applications", and it works. But what I need is to also store files in other users in the same domain.
A other solution that works temporarily is to first store them at the admin domain account and then move them to the user domain account. But this removes the possibility to direct it to a parent/folder at the end user's drive. It will always be stored in root for that end user.
Basically what I want is following:
A Server application is running on a local machine (admin domain account can be used)
The application upload files to different users that are in the same domain, but with their own email address and also then have their own Drive.
Yes, you can do that through 2 legged oauth, which can provide domain-wide authorization.
Here are some links for your reference:
https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth
http://support.google.com/a/bin/answer.py?hl=en&answer=2538798
Related
I am trying to create a shared drive using below google api and the drives.create method.
https://www.googleapis.com/drive/v3/drives
But its giving me error as
"message": "The user does not have sufficient permissions for this file."
How can i achieve this ?
I suspect the most likely scenario is that you are using a service account to authorize your code, but you are not impersonating a Google Workspace user with domain-wide delegation.
Service accounts are basically consumer Drive accounts. They can use Drive, but they live in a space outside from your Google Workspace tenant. Only a licensed Google Workspace user can create a shared drive; service accounts can't. As a general rule, it is usually not a great idea to create Drive content as a service account.
See information about domain-wide delegation and a few code samples here: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
I want to connect to a network share path '\domainname\folder-name' using domain account, without passing credentials, through my VB6 code.
My legacy VB6 application service (running on server A) currently accesses shared folder (on server B) using local account credentials(stored in encrypted .ini file). This service is running on behalf of 'LocalSystem'.
application is using 'WNetUseConnection' API to connect to shared folder.
To ensure security local account needs to be replaced by 'domain account' and password policy should be CyberArk dynamic password.
Now this credentials can't be stored in .ini file anymore. The idea that I am working on is to get service running on behalf of 'domain account' rather 'LocalSystem'. My thought is if i make service run on behalf of 'domain account, and give relevant permissions to this account on shared folder. Shared path should be accessible to service without providing credentials.
I need help to understand which API shall I use.
The API(s) you'll need for this is WNetAddConnection.
See this example.
I'd like to add basic authentication to a website in IIS, https only. For this I need to create a Windows user. It is important that this user can access nothing other than this website. So I need to add him to Deny log on locally & Deny log on through Remote Desktop Services in Local Computer Policy.
However I cannot add him to Deny access to this computer from the network or he can't access the website. Microsoft says about this permission:
Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources.
Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
What can I do to create a user that I can be 100% sure can only access this website and absolutely nothing else?
To address your concern about the "Deny access to this computer from the network" policy, that shouldn't prohibit the account from be used to authenticate with the website since "access from the network" doesn't include the HTTP/S protocol and WWW service. Therefore, you can add the basic auth user account to the "deny access" policy as desired.
Sources...
https://www.itprotoday.com/compute-engines/understanding-access-computer-network-user-right
"Despite the broad-sounding name, the 'Access this computer from the network' user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary."
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network
"The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+)."
Hope this helps.
Maybe you should use another account type. User account type should only be used for real humans (and for buggy applications).
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts
https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
We are trying to put an app on the marketplace which needs multiple client_ids
(The app is running on appengine standard with python 2.7)
a client_id for the service_account with domain wide authority
a client_id for the web application
a client_id from an apps-script library
All client_ids use different scopes. I have combined all scopes and entered them on the marketplace SDK configuration.
When i deploy the app on a test domain, only the serviceaccount seems to be authorized.
When the user then access the webapplication he is presented a grant screen which we want to avoid.
The documentation https://developers.google.com/apps-marketplace/preparing?hl=fr seems to imply that multiple client_id's are possible.
How should i configure the marketplace app so that multiple client_ids are authorized?
Is there something special i should do on the credentials configuration page of the api-manager?
Check how you implement the authorization using OAuth 2.0, Service accounts allow a Google Apps domain administrators to grant service accounts domain-wide authority to access user data on behalf of users in the domain. You can also read Server to Server Applications documentation.
Note: You can only use AppAssertionCredentials credential objects in applications that are running on Google App Engine or Google Compute Engine. If you need to run your application in other environments—for example, to test your application locally—you must detect this situation and use a different credential mechanism (see Other). You can use the application default credentials to simplify this process.
Hope this helps.
It turned out all three client_id's were being authorized after all.
the days that i was testing this, it took very long for the authorization to take effect.
At this time all scopes and clientid are authorized within a few minutes.
Our developers have recently built a new internal 'image viewer' application for our staff to use. The image viewer runs as a website and uses Active Directory to authenticate the user and control what type of images that user is allowed to view.
I have this setup and working fine by running the website as an impersonated domain user. The problem I now face is that all the images are held on a non-domain share. How can I access this share using the domain user? The share is on a Novell Netware 6.5 server.
Alternatively I can run the website as a non-domain user and connect to the Netware server to retrieve the images, but then I am unable to query Active Directory.
Can I allow a non-domain user access to query AD? I don't wish to allow anonymous queries on my domain controllers.
No, a non-domain user cannot query Active Directory unless you configure your domain to allow anonymous queries.
Depending on how everything is setup in the web application, you may be able to insert some code to switch security contexts and impersonate a domain user at the point where the query happens.