Allowing non domain user to query Active Directory - windows

Our developers have recently built a new internal 'image viewer' application for our staff to use. The image viewer runs as a website and uses Active Directory to authenticate the user and control what type of images that user is allowed to view.
I have this setup and working fine by running the website as an impersonated domain user. The problem I now face is that all the images are held on a non-domain share. How can I access this share using the domain user? The share is on a Novell Netware 6.5 server.
Alternatively I can run the website as a non-domain user and connect to the Netware server to retrieve the images, but then I am unable to query Active Directory.
Can I allow a non-domain user access to query AD? I don't wish to allow anonymous queries on my domain controllers.

No, a non-domain user cannot query Active Directory unless you configure your domain to allow anonymous queries.
Depending on how everything is setup in the web application, you may be able to insert some code to switch security contexts and impersonate a domain user at the point where the query happens.

Related

Create a Windows user for an IIS site and nothing else

I'd like to add basic authentication to a website in IIS, https only. For this I need to create a Windows user. It is important that this user can access nothing other than this website. So I need to add him to Deny log on locally & Deny log on through Remote Desktop Services in Local Computer Policy.
However I cannot add him to Deny access to this computer from the network or he can't access the website. Microsoft says about this permission:
Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources.
Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
What can I do to create a user that I can be 100% sure can only access this website and absolutely nothing else?
To address your concern about the "Deny access to this computer from the network" policy, that shouldn't prohibit the account from be used to authenticate with the website since "access from the network" doesn't include the HTTP/S protocol and WWW service. Therefore, you can add the basic auth user account to the "deny access" policy as desired.
Sources...
https://www.itprotoday.com/compute-engines/understanding-access-computer-network-user-right
"Despite the broad-sounding name, the 'Access this computer from the network' user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary."
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network
"The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+)."
Hope this helps.
Maybe you should use another account type. User account type should only be used for real humans (and for buggy applications).
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts
https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

Anonymous LDAP query - Windows Server 2012

so I have Windows Server 2012 which is running on my virtual machine. I want to have possibility to make anonymous query against LDAP. For example if I'm using software like Softerra LDAP Browser I need to run this program as domain user to be able browse AD groups/users etc. But my point is that I want to be able to do it also as non-domain user(anonymous), or at least using domain user credentials from machine that is not part of the domain.
I was looking for this option in user/group policies, I've grant my user with all privileges that I found - but always with the same result - I was unable to browse LDAP.
So my question is - what have to bet set/changed to be able make anonymous queries against Windows Server LDAP?
I don't know about anonymous queries, but you said that you would also be happy using a domain user from a non-domain machine.
That should work fine. Create a domain user with sufficient privileges to see what you want.
Install a certificate on your LDAP server (or use Kerberos, but that's more annoying on the non-domain machine).
Then do LDAP authentication using the username and password of that domain user.
It works well.

Google drive sdk, domain-wide delegation with server-application with multiple domain users

Using a server application with C#, how is it supposed to work when accessing users in the same domain if the authentication is only possible using:
OAuth2Authenticator interface?
I'm able to access the admin of the domain's Drive, but I'm missing the 3 legged OAuth in 2.0.
Looking at this description found at this link: https://developers.google.com/drive/delegation
Since this is not executed as a Service, and is not using Google Apps and cannot then
access: https://www.google.com/a/cpanel/mydomain
Also the IP is not known from where the machine running the server-application.
Currently I'm using: "Client ID for installed applications", and it works. But what I need is to also store files in other users in the same domain.
A other solution that works temporarily is to first store them at the admin domain account and then move them to the user domain account. But this removes the possibility to direct it to a parent/folder at the end user's drive. It will always be stored in root for that end user.
Basically what I want is following:
A Server application is running on a local machine (admin domain account can be used)
The application upload files to different users that are in the same domain, but with their own email address and also then have their own Drive.
Yes, you can do that through 2 legged oauth, which can provide domain-wide authorization.
Here are some links for your reference:
https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth
http://support.google.com/a/bin/answer.py?hl=en&answer=2538798

Single Sign-On between 2 different platforms but on the same domain

I'm in the process of rearranging our web-based systems, so that users will be able to log on to our systems through a Sharepoint front-end. Our single sign-on server is an Oracle SSO server that authenticates against the same domain as the sharepoint server does, but these two are currently 2 separate logins.
What I'm looking for is to configure this scenario:
A user logs in to the Sharepoint site, authenticating agains Active Directory through the TMG. This gives the user access to the sharepoint site, and this is all standard OOTB functionality. Then the user should be able to navigate into our other systems without a re-login (because the SSO configured for external authentication with the same AD, and therefore uses the same userbase).
So basically the users currently have to login twice with the same domain\user + password. I would like the SSO server to be able to read the cookie that was established in the first login, and use that instead of presenting the SSO login screen all over again.
Is it possible to share such a cookie between 2 different platforms on the same domain?
I have implemented a kerberos "Zero-sign-on" approach for the Oracle SSO server, but this only works as long as the user comes from a computer inside our domain. When the user logs on from the outside world (www) he will be prompted to login to sharepoint first, and then to the Oracle SSO.
I basically need the Oracle SSO Cookie to somehow read the Sharepoint Cookie that was established. Does this make sense?

Authenticating user against Windows cache when Active Directory is not available

My application needs to authenticate a user against active directory and determine the list of groups the user is a member of. I've developed a VB6 app to do this and it works fine.
The customer has come back and said they need the app to authenticate users even if active directory is not available (machine off network), similar to how Windows will still allow a user to log on to a system if a machine is off the network, if they've logged onto the machine previously.
How do I go about accessing the cached user information in VB6? I'm currently user ADI and LDAP.

Resources