Is it possible for a windows service/web application (c#) to write log entries where its running under a windows domain account that is NOT a local admin?
I have tried both of the following for a NON admin windows domain account:
Writing to the Application log (with a 'Test' source). but this gave me 'Access Denied' error.
Initially setup a new custom log called 'Test' that would have appeared under 'Applications and Service Logs' using a local admin windows user account.
I then tried to write logs to this using a non admin windows user account but still ended up getting 'Access denied' error.
I have seen suggestions where the registry needs to be modified but i really don't want to go down that route as it feels hacky and..well..just not right!
I can get both options above to work when i switch the windows user to a local admin, but i don't want this.
Any suggestions greatly appreciated..
(Apologies in advance if this is duplicate POST)
You need to grant access to the log. See Delegating access to the event logs
Open Registry Editor.
Navigate to the following registry path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
You will see that there are keys available for each event log. Select the event log for which you want to delegate access.
Add a new key with the name CustomSD to the event log you selected.
Add a new String value to the CustomSD key. The name of this string is not required, but it represents the access control list for the event log in the Security Descriptor Definition Language (SDDL) syntax. In this procedure this value will be referred to as SDDLACL.
As for the SDDL, see Security Descriptor String Format
So I have an application that is trying to use Command.ExecuteScalar, which works perfectly well on a connection with "root" credentials or with my own user credentials, but I have set up another user in workbench called "AgentsHighPriv" and with that it fails.
The connectionstring is the same except for the substitution with the alternative username and password. However this username and password connects in MySql Workbench, what am I overlooking here.
The specific error message is:
{"Authentication to host 'xxxx' for user 'AgentsHighPriv' using method 'mysql_native_password' failed with message: Access denied for user 'AgentsHighPriv'#'%' to database 'rbac'"}
Well it seems there is a difference between credentials that I had not grasped. The privileges had some differences; "schema privalges" were the same as for my own user privileges but, the New User did not require admin privileges of any kind, so I did not use the tab and set global privileges. However if on the administrative roles tab I actually select one of the global privalages, - it then authenticates. At least to say it did so when I tested with select, show view, alter, and drop
Yet I have these same privalages set on the Schema Privalages tab!
So this will make it work now but I dont understand the logic - if anybody could explain I would be happy to hear.
Thanks
I have window service which is running on the production server.The service hit the database server frequently for processing the record.Each day once it throw below error
Login failed for user ‘S-1-5-21-1482476501-1214440339-839522115-500'
Msg 18456, Level 14, State 1.
I wondering why it is showing long user name rather the sql username in the exception.The Server server version 2012.
That is a Windows SID as others have commented. I've had the same problem (trying to get an account name from a SID) and I have a little PoSH script that I use to do the translation:
param(
[string] $sid = (Read-Host "Enter a SID")
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier ( $sid )
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount] )
$objUser.Value
According to Login failed for user , Msg 18456, Level 14, State 1 the specific State 1 is encountered when:
in connection string specify User as the NT account
So you have an application out there that uses/builds a connection string in which they specify their NT SID as a user name. If the app wishes to authenticate using integrated security it should use SSPI.
I had exactly the same issue and it was caused by contained databases. The fix in my case was to create a global user and assign that user to the database as db_owner instead of using the contained user account.
To create the global user, follow these steps:
Login to SQL Enterprise Manager
Expand the security node in the left hand tree
Right mouse click on "Logins" and select "New Login..."
Enter a Login name and a password
Click "User Mapping" in the left hand pane
Select your database in the right hand pane and then select the relevant role below. In my case I wanted the user to be a db_owner
Once you have created the new global login you will then need to update your application which is connecting to the database to use the new credentials.
This particular issue was acknowledged by Microsoft on 30/07/2013, see Login failure with connection pooling in contained DB after connection has added contained user. They state "We are working on the issue and the fix will be in the next or future service pack", to be fair I haven't applied any cumulative hotfix packages since SP1 so this may already be fixed.
I created a Windows Service which Access File from Remote Machine. but It gives error in Log file that File Does Not Exist.When i deployed it then and then only it gives error otherwise when i am debugging from Visual Studio 2005 then it is working fine.
I tried to change Properties of Service from Log On tab. gives Logon as: then choose this Account and Gives Name of Remote Machine and Password Still it is not working. Please Help me out.
Code:
if (File.Exists(FileName))
{
}
else
{
Log.append("File Not Exist Path=:" + FileName, 75);
}
Error:
File Not Exist Path=: \Computer-01\Trend Till_04Feb\Trend Till_04Feb\TREND\128.DBF
I assume you are using ServiceProcessInstaller and ServiceInstaller.
The most important property is Account within the ServiceProcessInstaller class. It specifies the Windows account under which the service runs (security context). The following options are available:
LocalService: Service presents the computer's credentials to remote servers.
LocalSystem: Service presents anonymous credentials to remote servers.
NetworkService: Service has limited local privileges and presents the computer's credentials to remote servers.
User: A local or network account is specified. You may specify the necessary username and password via properties, or you may type them during installation. The Service uses the security context of the specified user account.
Following three options are provided to specify how your service is started.
Manual :- The user starts the service.
Automatic :- The service starts automatically when the system starts.
Disabled :- The service is not available for use.
Go to Properties of ServiceInstaller object and set ServiceName and StartType to Automatic.
Go to Properties of ServiceProcessInstaller and set Account property to LocalService. This causes the service to run on local service account.
HTH
I receive an "Access Deined" COMException when I try to connect to a remote IIS 6 server from my C# application that is running under IIS 5.1.
Any ideas? I am experiencing all the same issues with the original questions.
Update - 4/1/09
I found this solution (http://www.codeproject.com/KB/cs/Start_Stop_IIS_Website.aspx) that consists of a window application connecting to an IIS server to start and stop web sites. I am able to run it on my workstation and connect to the IIS server.
Ugh....why can I run this stand alone application but not my ASP.NET application?
Original
I receive an "Access Denied" COMException when I try to connect to IIS from a remote machine using the DirectoryEntry.Exist method to check to see if the IIS server is valid.
string path = string.Format("IIS://{0}/W3SVC", server);
if(DirectoryEntry.Exist(path))
{
//do something is valid....
}
I am a member of an active directory group that has been added to the Administrators groups to the IIS server I am trying to connect to.
Has anyone experience this issue and know how to resolve it?
UPDATE:
#Kev - It is an ASP.NET application. Also, I can connect without an username and password to the remote server through IIS6 Manager.
#Chris - I am trying to connect to the remote server to display the number of virtual directorys and determine the .NET framework version of each directory. See this SO question.
#dautzenb - My ASP.NET application is running under IIS 5.1 trying to connect to an IIS 6 server. I can see fault audits in the security log for my local ASPNET account on the remote server. When I try to debug the application, I am running under my domain account and still get the Access is denied.
UPDATE 2:
#Kev - I was able to establish to create a DirectoryEntry object using the following overload:
public DirectoryEntry
(
string path,
string username,
string password
)
But, all of the properties contain a " threw an exception of type 'System.Runtime.InteropServices.COMException'" while I debug the app.
Also, the AuthenticationType property is set to Secure.
UPDATE 3:
The following two failure audit entries were in the remote IIS server's security event log every time I tried to establish a connection:
First event:
Event Category: Account Logon
Event ID: 680
Log attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: ASPNET
Source Workstation:
Error Code: 0xC0000234
Second event:
Event Category: Logon/Logoff
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: ASPNET
Domain: (MyDomain)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: (MyWorkstationId)
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.12.13.35
Source Port: 1708
Impersonation is set to true and the username and password are blank. It is using the ASPNET account on the remote IIS server.
If it is an identity problem, you could try setting your IIS 5.1 application to use Integrated Windows Authentication, and then add the following to you web.config on your IIS5.1 web site under system.web to enable impersonation.
<identity impersonate="true"/>
<authentication mode="Windows" />
Since this is an ASP.NET application, it runs in an Application Pool of IIS. This Application Pool runs using a specific user("Local System", "Network Service" or another user).
Does this user have enough rights to connect to a remote server ?
See MSDN for more info.
This looks like it may be a double-hop issue. If you are impersonating the current user of a website using NTLM, that impersonation is only valid on that server (your IIS 5.1 server in this case). If you try to connect to another server using the web site, you are actually going to have issues as it cannot pass the token to another server that was used during impersonation. The same is true if you are debugging your site through your machine, going to another box. Your local machine is authenticating you, but it cannot impersonate you to another server.
All of the solutions I have used in the past require you to hard code the app pool to use an account that has permissions, set the annony. account to a domain account with permissions on the other machine, or use a windows service running on the IIS 5.1 machine, under a domain account, to connect to the other server.
If you are using Kerberos, this wouldn't apply, but AD uses NTLM by default.
Where exactly are you trying to read too? Is it in under the same path as your application?
When I had this problem, I found that simply authenticating my self on a Windows file share solved the problem. From experience, I think that WMI/ADSI/COM doesn't have great support for not-already-authenticated users. I believe this issue occurs when you're not associated with a Windows domain.
If it is indeed a NTLM doublehop issue you could use the SETSPN utility to create service principal named instances for your target IIS servers.
Then you could go into Active Directory, and then allow the computer object (basically the NETWORK SERVICE or LOCAL SERVICE principals) to delegate its credentials to a correctly registered SPN.
Then you could hop-hop-hop all over the place! But, be warned! People can hurt themselves on sharp pointy things when you enable double-hop!
Good KB articles to read:
http://support.microsoft.com/kb/929650
I believe that DirectoryEntry.Exists silently ignores any credentials supplied and uses the creds of the authenticated user. This seems to match the behaviour you've described. For AD work, we never use it for this reason.
I'm sort of stumped at the moment as to why you can't get this working. There is a temporary work around you could try. When instantiating the DirectoryEntry object you could use one of the following constructor overloads:
public DirectoryEntry(
string path,
string username,
string password
)
Documented at: MSDN: DirectoryEntry Constructor (String, String, String)
...or...
public DirectoryEntry(
string path,
string username,
string password,
AuthenticationTypes authenticationType
)
Documented at: MSDN: DirectoryEntry Constructor (String, String, String, AuthenticationTypes)
As it happens I'm building a test AD environment on my virtual server box for a new project to do similar stuff. When I get it up and running I'll have a play around to see if I can reproduce the problem you're encountering. In the meantime let us know what happens if you try these constructor overloads referenced above.
Update (In answer to Michaels comment):
For reasons that evade me just now, we couldn't use DirectoryEntry.Exists() in a particular scenario, there is this snippet of code that gets called now and again in one of our apps:
public static bool MetabasePathExists(string metabasePath)
{
try
{
using(DirectoryEntry site = new DirectoryEntry(metabasePath))
{
if(site.Name != String.Empty)
{
return true;
}
return false;
}
}
catch(COMException ex)
{
if(ex.Message.StartsWith("The system cannot find the path specified"))
{
return false;
}
LogError(ex, String.Format("metabasePath={0}", metabasePath));
throw;
}
catch(Exception ex)
{
LogError(ex, String.Format("metabasePath={0}", metabasePath));
throw;
}
}
You could replace the constructor with one of the ones from above. Admittedly it's a stab in the dark :).