I need to use nodejs to write file to a password protected shared folder on a remote machine running Windows server 2008 r2, how can I do impersonation things within nodejs like .net app does?
Thx in advance!!!
PS:
Sorry for the unclear description. The folder is set to shared across the internal network on the remote windows server system, the folder is set to "readonly" for the windows account explicitly created by the admin. The nodejs server is on the same internal network and need to access the remote shared folder, thus I think nodejs need to impersonate the windows account on the remote machine to read contents from the shared folder. My question is how to do the sorry for the unclear description. The folder is set to shared across the internal network on the remote windows server system, the folder is set to "readonly" for the windows account explicitly created by the admin. The nodejs server is on the same internal network and need to access the remote shared folder, thus I think nodejs need to impersonate the windows account on the remote machine to read contents from the shared folder. My question is how to do the impersonation stuff for nodejs?
Late to the party - but since there is no accepted answer...
You'll need to launch your node process using the account that has access to the network share. How this is done differs based on your setup. For example, if you're runnning node on a lLinux server trying to connect to the remote Windows server, then it's not going to be straightforward with node.
However; if you're running node on a Windows server, trying to connect to a remote share on another Windows server (which is what it sounds like your situation probably is). Again, you'll have to run your node script as a user with access to the remote share. If you need to do it from code, I'd suggest taking a look at my module node-windows. It doesn't provide remote share access specifically, but it will allow you to run command line code with a different account from within your node script.
Related
The problem statement:
Suppose there are 20 windows machines within a local network. One of the machines serves as the server and hosts the database. Now, the other 19 machines have the access to read from the server machine, but the server machine does not have username and password for any of the other 19 machines.
I have to update a desktop application installed on all the machine. There is a spring-boot application, hosted on the server machine which downloads the build. Now, as soon as I download the build I have to notify all the other 19 machines that build has been downloaded so that they can read and update themselves.
Solution 1: Install a windows service which will poll the server and check if updates are available.
Solution 2: Host a POST web API on the 19 machines and notify them by making a post call. I think installing IIS or Tomcat on every machine is not viable.
Is there any other optimal solution for notifying the client?
Note: We cannot take the RDP and neither have credentials but we can make use of already deployed windows application on the other 19 clients.
Solution 3: If your machines share the same domain, use msi install packages to update software all across domain by using Group Policy. It's common way.
Solution 4: Launch desktop application directly from server shared folder. It works good while server machine is always accessible and application is not too heavy for your LAN.
Here you need some care about writing new application files while it running on client computers. Good way is to keep a different folders for different versions and launch with shortcut pointing to latest one:
v1.3\app files here
v1.4\app files here
v1.4.6\app files here
v1.7\app files here
app.lnk → v1.7\app.exe
client machines launch the application with app.lnk.
Upd: if you update application when nobody works (see 1am…2am), you can omit all of this versioning stuff.
Solution 1: It work as well. You can use NSSM to easily launch your update script or exe-file as a Windows service.
I would use a windows service or a scheduled task (both could be the same application you provide, but with some arguments). It frequently checks if a new version is available (maybe only once a day).
If you only have a short time frame when the new version has to be installed on all machines you could also provide an installation date with the new version. (Maybe the check will be done through a REST api where the client sends the current installed version number and the server answers with an status code 200 and the body is either empty or provides an json object containing the new version number, the due date and the download url.)
Then the client can already download the new version and make it available on the machine, but it triggers the installation only when the due date is reached. This check of the due date can happen more often, cause all informations are already on the client machine and can be done locally.
I'm using WinRS to run an executable on a remote machine. That executable, in turn, needs to access a UNC network share. I'm on a Windows network with AD, and running everything as a domain admin account (not a local account) that is a machine admin of the servers in question, and has Full Control (folder and share) of the network share. But when I use WinRS to run a remote process, that remote process doesn't seem to have network access. The simplest example I could distill it down to is:
winrs -r:RedServer dir \\BlueServer\SomeSharedFolder
which gives the error
Access is denied.
Note that WinRS itself works on RedServer, because this runs fine:
winrs -r:RedServer dir C:
So, it sounds like a permissions issue, right? But to prove this account does have Full Control over the \\BlueServer\SomeSharedFolder share, I logged into RedServer with that same account and ran this at the command prompt there:
dir \\BlueServer\SomeSharedFolder
It ran fine, giving me the contents of that folder. It's only the combination of WinRS + UNC path that causes errors.
Is there something I need to configure differently, or is this a limitation/safeguard of Windows? I experienced a similar limitation with Sysinternals' PsExec.exe; I could access anything on the target machine, but nothing on the network. Incidentally, I found a somewhat-related SO question here: "Error when creating mapped drive using winrs", but no answers there.
What you describe is a double hop scenario which requires additional configuration on the client and server to support. A double hop scenario is remotely logging in to a Windows server and then accessing a remote network share:
client -> server -> file share
You can accomplish this via CredSSP or Kerberos delegation.
CredSSP authentication is intended for environments where Kerberos delegation cannot be used. Support for CredSSP was added to allow a user to connect to a remote server and have the ability to access a second-hop machine, such as a file share.
While I haven't tried these instructions, they seem like a reasonable place to start. Additionally this blog post by Travis Gan appears to be helpful.
I am trying to figure a way of connecting 2 web server's file systems together so they can access each others files natively. The servers are Windows 2012 and connected directly to the internet via public IPs. One server will be for storing large files, the other for the scripts and database (web server).
Essentially, I need a way to securely map a drive/folder between these servers so they show as folders e.g. the "d:\www\assets" folder is actually on the other sever (junction). As this link needs to be accessible to the SYSTEM (apache service) not a single user, a mapped drive is not ideal. Open, unsecured shares are also not a good idea.
Playing with junctions and links in the console doesn't show any method to provide a login/password to the remote system. The junction is created but inaccessible. If I map a drive, it is only for that user and not available to the SYSTEM account that Apache is using. If I run Apache as a user and map a drive as that user, it likely won't survive a reboot or work without being logged in on the console all the time.
Are there any native ways to hook these 2 servers together securely? I have full admin access on both servers and can create as many users as required, but they are not in a domain or potentially even on the same subnet.
You may be able to use to a directory symlink via cifs/windows share considering you have have access to the local disk on one of the servers and the your sharing the the folder you want to symlink
for example:
on server a:
1. navigate to server a's local disk: d:\www\
2. mklink /d assets \serverb\assets
option 2DFS (unconfirmed)
if you can create a dfs on server on one user windows boxes, i believe you set dfs target to point folder assestes to \serverb\assets
I want to develop some kind of automation system i can control some pcs in my network.Features i am looking to develop are as follows:
1)Ability to establish a connection with some remote systems and executing some commands on those
2)Ability to transfer files from main controller pc to those pcs
3)Ability to get status of other pc
I dont want to install some explicit server on each of the client machines , and want to use some in built protocol /services running on windows a my clinets are windows.
The only this available with my controller pc is Administator user name and passwd and clinet machine ips.
IBM TPM uses some port to do such things but am not usre which protocal /service it uses?
I have done a remote software installation using ibm tpm.I dont think it uses telnet or ssh.
Which inbuilt service/protocol i should use? (not telnet or ssh)
I need to design a tool that can install software on remote client machine.
Basically i need Deploy MSI, EXE, BAT etc. on various client machines without user interaction.
There are lots of tool on net that provide these features but i need to develop such type of utility.
Please suggest
you can setup remote desktop on the machines.
For Establishing command : you can setup remote desktop
For transferring files: You can map drives of other machines programmatically using the method WNetAddConnection2().
Its unmanaged code ...
This might help :
http://vbnet.mvps.org/index.html?code/network/wnetaddconnection2.htm
http://www.pinvoke.net/default.aspx/mpr/wnetaddconnection2.html
How can I configure Visual Studio remote debugging when:
My developer machine is a member of an AD domain, and my username is "DevelopersName".
The "remote" machine is on the same Ethernet segment, but is not part of the domain.
The "remote" machine must run software under "RemoteUserName".
Most documentation I can find suggests that you need have both machines in the same domain and with identical usernames. That's not possible here.
I could possibly add my username to "remote", but the software still needs to run under "RemoteUserName.
If it helps, I could add 2nd network card to my developer machine and directly connect the "remote" machine.
Using VS2008, but will be moving soon to VS2010.
Thank you.
Sorry, but I've just spent the last 10 hours trying to debug your exact problem. My findings are not good.
You need to get your accounts synced, especially if you are using your remote app to connect to other systems in your SOA environment, ie: Sharepoint, AD.
You can to some extent get remote debugging to work, if you create an account on your local machine with the same name as that of your remote machine (lets do it like this rather rather than working with the domain account).
You then need to make sure the remote service is running under this account, and its a member of the administrators group. And by this I mean hold down control, and right click run as - with the remote debugger, and select the user (not required if remote server is logged in as the required user).
Run the wizard it will open the required ports, use Authentication, because non authentication won't debug managed code. Breakpoints are never met, and there is nothing you can do about this.
On your local dev machine, log off your domain account, and log onto the local account with matching name as the account on server thats running the remote service.
Now you stand a change of remote debugging. If you can't do any of the above, sorry there is no workaround, its entirely dependent on the user account and having the right permissions.
If you don't want to create a local account, try starting our debugger via command prompt using the following command:
runas /user:[user#machinename] /netonly [debugger.exe]
E.g.:
runas /user:john#mypc123 /netonly devenv.exe
I assume it's managed debugging you're talking about (for native debugging there's a remote debugging solution with no authentication). In this case, I would suggest that you use a local user to launch the debugger on your machine. If this local user's name and password match "RemoteUserName"'s name and password, it should work.
(Note that this does not preclude you from using the AD account to log in to your workstation, you just need to set up another account and use runas to launch Visual Studio.)