I am currently trying to access a network share from my machine programaticaly using vc++ 6.0. I am using WNetAddConnection2 to connect to a share using my credentials.
I am facing the following problem:
Consider the case when there are 2 users trying to access the same remote share from same machine one after the other. Now once a user logins, the other user is not able to login into the share using his credentials until the 1st user logouts.
Also if the 1st user logs onto the remote-machine's root share, then the other user is not able to access anyother share on that machine.
Please let me know if there is any workaround for the same.
Thanks in advance
The answer depends on if the 1st user still needs access. If they don't, then call WNetCancelConnection2(). If they do, Keith Brown in his "Programming Windows Security" book has a trick of calling LogonUser() to establish a new logon session, which creates a new SMB "port" to avoid the conflict. After impersonation, your thread will be able to connect using different credentials.
Related
Im a newb to AWS, so please go easy on me. We currently just spun up a custom Windows 10 instance in AWS. I was able to login via RDP successfully, but I'd like to create a new user within the instance so they can login with a different user account using RDP. Any thoughts would be much appreciated.
Okay, After your response to my first, I think I see what you are asking. Plase watch this video:
https://www.youtube.com/watch?v=rgk2w3dQGSo
Download the RDP. Save it. You can then Edit the .rdp and enter the user name and password you created in Windows.
You can create users in the User Management Console in Windows. Ensure they have the rights needed (Remote Desktop User, Administrator, etc).
Enjoy!
Once an Amazon EC2 Windows instance has been launched, it is just a normal Windows computer.
Therefore, you should use use the standard Admin tools to create the user on the Windows computer, with their own username and password.
It is also recommended that you change the random Administrator password after initial login, or (even better) connect the instance to Active Directory or whatever standard authentication system your company uses.
Technoob here. I just figured out why all of you are having trouble. You need to go to the security group the machine is a part of and open port 3389 to your public IP address (ipchicken.com works). Enjoy
If you are trying to connect from another computer then you have to change the inbound rules.
Go to the security groups of your instance. Go to the inbound rules. Add ipv4 and ipv6 as a new rule and apply it. Download the RDP File and try to connect again. It worked for me.
We are building a system on windows where we centrally (server) need to do fopen to either local files or remote smb resources. The idea is to authenticate in the case of remote resources before doing fopen (with unc paths).
We need to authenticate with the credentials the user (client application) supplied for this resource on that remote share. We don't want to copy any resources.
Using the Win Net Api this works smoothly since it stores the given credentials so that subsequent fopens in the same or in different processes succeed.
But there is a problem:
Many of you probably know the following message from windows when trying to connect to a smb share with different credentials then the ones used for a previous connection:
"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again."
See http://support.microsoft.com/kb/938120 for the defined limitation and possible "work arounds".
Since we have a central server application running as a service ('Local System' account) we hit this limitation with having already two different users :).
Closing the previously established connection to allow for the 2nd one is not an option (ongoing processing).
On the one hand it's great that windows caches authentication information on the other hand it's too limited.
Modifying the hosts file for each user does not look very nice.
Using smb client libraries (like libsmb++, impacket) doesn't seem to be the solution since we need "over process" authentication.
Configuring a "master" smb share user is also not wanted.
Maybe passing windows user auth tokens around is a way?
This problem is of general nature (i.e. independent of language) and I'm convinced that there are people out there who solved it (in a more or less elegant way ;))
I hope my explanation is understandable.
Thanks in advance for any hint.
felix
I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm
I'm writing a Windows device driver for a custom USB device, but am having trouble opening the device from my user program (using CreateFile) when the user program is run as a domain user. If I run as a local user, or as an administrator (or 'Run As' administrator) I can open the driver fine, but as a domain user GetLastError returns 5 (access denied).
I originally had this problem with local users too, and found I had to add the following SDDL entry to the .inf file, which solved the problem for local users:
HKR,,Security,,"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW;;;BU)
From this reference:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563667(v=vs.85).aspx
When I discovered that domain users did not have access I thought that simply adding them to this SDDL entry would give them access, but it doesn't seem to work: I still get access denied. I've even tried extreme solutions such as giving all users (everyone (WD), unauthenticated users etc.) full access, but this doesn't work either, which makes me think the problem lies elsewhere; i.e. something else is denying domain users access which takes precedent over the permit in the SDDL entry in the driver inf.
So my question is, what am I missing that is required to give domain users (or all users) access to connect to the driver? Or are there any other solutions to this problem (such as connecting to the driver as a service and then accessing this service from the user program)?
HKR,,Security,,"D:P(A;;GA;;;WD)"
set everyone can access, try it!
I have a site i am working on that i would like to display only to a few others for now. Is there anything wrong with setting up windows user names and using windows auth to prompt the user before getting into the development site?
There are several ways, with varying degrees of security:
Don't put it on the internet - put it on a private network, and use a VPN to access it
Restrict access with HTTP authentication (as you suggest). The downside to this is it can interfere with the actual site, if you are using HTTP auth, or some other type of authentication as part of the application.
Restrict access based on remote IP. Just allow the IPs of users you want to be able to access it.
Use a custom hostname. Have it on a public IP, but don't publish the hostname. This means make an entry in your HOSTS file (or configure your own DNS server, if possible) so that "blah.mysite.com" goes to the site, but that is not available on the internet. Obviously you'd only make the site accessible when using that hostname (and not the IP).
That depends on what you mean by "best": for example, do you mean "easiest" or "most secure"?
The best way might be to have it on a private network, which you attach to via VPN.
I do this frequently. I use Hamachi to allow them to access my dev box so they can see whats going on. they have access to it when they want , and/or when I allow. When they are done I evict them from my Hamachi network and change the password.
Hamachi is a software VPN. Heres a link to Hamachi - AKA LogMeIn
Hamachi
They have a free version which works quite well.
Of course, there's nothing wrong with Windows auth. There are couple of (not too big) drawbacks, though:
your website auth scheme is different from the final product.
you are giving them more access to the box they really need.
you automatically reimaging the machine and redeploying the website is more complex, as you have to automate the windows account creation.
I would suggest two alternatives:
to do whatever auth you plan on doing in the final website and make sure all pager require auth
do a token cookie based auth - send them a link that sets a particular token in a cookie and in your website code add quick check for that token before you even go to the regular user auth
If you aren't married to IIS, and you need developers to be able to change the content, I would consider Apache + SSL + WebDav (aka Web Folders). This will allow you to offer a secure sandbox where developers can change and view the content without having user accounts on the server.
This setup requires some knowledge of Apache so it only makes sense if you are already using Apache or if you frequently need to provide outsiders access to your web server.
First useful link I found on the topic: http://pascal.thivent.name/2007/08/howto-setup-apache-224-webdav-under.html
Why don't you just set up an NTFS user and assign it to the website (and remove anonymous access)