Re: Azman: AzAuthorizationStoreClass.Initialize

Tech-Archive recommends: Fix windows errors by optimizing your registry

Interesting... Get filemon and see which files it is accessing.

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:832C05A3-9C80-4DFB-97EA-5C0B77C87BC5@xxxxxxxxxxxxxxxx
> on the C drive of the XP box, i gave the service account
> access full control on all files on the XP box. Now the access
> denied error message is gone.
>
> And now i am getting the
> "parameter is incorrect" on the Intialize of AzAuthorizationStoreClass.
>
> I can try the auditing to see if anything turns up.
>
> I was hoping there would be some documentation on the
> permissions that need to be granted but i havent seen any.
>
> I posted a message in the DotNet security newsgroup
> but no reply. Any other ideas?
>
>
>
> "Lee Flight" wrote:
>
>> Hi
>>
>> you might try enabling Audit Privilege Use in the security policy on the
>> box and see what is used on a successful call or what fails on an
>> unsucessful. That might help you spot if it is a rights issue; I offer
>> this
>> as a straw in the wind as I know AzMan can tie in to the windows
>> audit system which is a privileged activity but I may be way off-beam
>> here.
>>
>> Lee Flight
>>
>> "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:0E4D0598-5BE3-4BC7-AF91-DA474320B6C5@xxxxxxxxxxxxxxxx
>> > The ADAM is running on a WinServer2003 SP1 box running under
>> > the Network Service Account.
>> > The web application is running on an XP box SP2 (our dev box) and
>> > accesses
>> > the
>> > ADAM on the WinServer 2003 box.
>> >
>> > I had a service account created and we are doing an impersonation.
>> > in our web application to make the api calls to
>> > Microsoft.Interop.Security.AzRoles.dll.
>> > We get an access denied message in the call to "Initialize" method of
>> > AzAuthorizationStoreClass.
>> >
>> > Note that if the service account is added to the Administrators group
>> > of
>> > the
>> > XP box then the call to the Initiialize method succeeds.
>> >
>> > I added the service account to the readers role and the administrator
>> > role
>> > in ADAM and thru azman.
>> >
>> > Mike
>> >
>> >
>> >
>> > "Dmitri Gavrilov [MSFT]" wrote:
>> >
>> >> What is the account that is used to run azman? Does ADAM live on the
>> >> same
>> >> machine or different machine?
>> >>
>> >> --
>> >> Dmitri Gavrilov
>> >> SDE, DS Admin eXperience
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >> Use of included script samples are subject to the terms specified at
>> >> http://www.microsoft.com/info/cpyright.htm
>> >>
>> >> "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:11A07BF7-2D74-4171-AC17-2A2EBE10697B@xxxxxxxxxxxxxxxx
>> >> > the impersonation is working without problems
>> >> > the. The service account we are using to do impersonation
>> >> > is in the Admintrator role. in ADAM
>> >> >
>> >> > I add to the serice account to the reader role in ADAM.
>> >> > Made no difference same error. Access Denied on Initialize
>> >> >
>> >> > Running XP2 SP2 and Server 2003 SP1.
>> >> > Posted this in the DotNetSecurity newsgroup
>> >> >
>> >> > "Dustin" wrote:
>> >> >
>> >> >> mwr,
>> >> >> Make sure of a couple things..
>> >> >>
>> >> >> make sure to have <identity impersonate='true' />
>> >> >> and MOST IMPORTANTLY !!!
>> >> >>
>> >> >> <deny users="?" />
>> >> >>
>> >> >> Since your Using AzMan. Its Recommended that you also use a Network
>> >> >> Service
>> >> >> account that your application impersonates as.
>> >> >>
>> >> >> Another thing you can try,
>> >> >>
>> >> >> Make sure in your Roles under AzMan. The account your impersonating
>> >> >> as
>> >> >> is
>> >> >> in
>> >> >> the Readers Role. And Administrators Role.
>> >> >>
>> >> >>
>> >> >> "mwr" wrote:
>> >> >>
>> >> >> > I thought you might say that, but wasnt sure what newsgroup to
>> >> >> > try.
>> >> >> > Its basically the permissions that the
>> >> >> > Microsoft.Interop.security.AzRoles.dll
>> >> >> > needs to Intialize the application store in ADAM
>> >> >> >
>> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >> >> >
>> >> >> > > You might want to try one of the programming oriented
>> >> >> > > newsgroups
>> >> >> > > like
>> >> >> > > ms.public.dotnet.security,ms.pub.dotnet.framework.aspnet.security
>> >> >> > > or
>> >> >> > > ms.pub.platformsdk.security.
>> >> >> > >
>> >> >> > > Joe K.
>> >> >> > >
>> >> >> > > "mwr" <mwr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> > > news:447FAFBF-BFC5-439C-BE82-7AF94259846B@xxxxxxxxxxxxxxxx
>> >> >> > > >I am calling AzAuthorizationStoreClass.Initialize
>> >> >> > > > and i am getting an access denied. My app is an
>> >> >> > > > asp.net and i am doing impersonation. The 'Initialize'
>> >> >> > > > method works if i add the user acount doing the impersonation
>> >> >> > > > to the admininistrator group on the local machine
>> >> >> > > > but fails otherwise.
>> >> >> > > >
>> >> >> > > > I dont want to have to make the account doing the
>> >> >> > > > impersonation and admin of the box. What permissions
>> >> >> > > > do i need to set in order for the method call to succeed
>> >> >> > > > without being an admin of the box.
>> >> >> > > >
>> >> >> > > >
>> >> >> > >
>> >> >> > >
>> >> >> > >
>> >>
>> >>
>> >>
>>
>>
>>


.

Relevant Pages

  • Re: Access Rights to See DACLs in ADAM
    ... as they have control over the service account, can take ownership, ... Also best practice is to keep ADAM ... accounts have the administrator access rights. ... local administrators group, which we do not want to do, and which I have ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issue while setting user password in ADAM using JAVA
    ... Secondly I followed few more links and tried to configure ADAM for ... If ADAM is running under a local service account, ... has sufficient rights to update the serviceConnectionPoint object. ... ServiceConnectionPoint object publication can be disabled for this ...
    (microsoft.public.windows.server.active_directory)
  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... you might try enabling Audit Privilege Use in the security policy on the ... > ADAM on the WinServer 2003 box. ... > I had a service account created and we are doing an impersonation. ... > I added the service account to the readers role and the administrator role ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access Rights to See DACLs in ADAM
    ... I understand we cannot totally sandbox ADAM from the local system ... but we want to make it necessary for a local administrator to ... Administrators group in the configuration partition, ... the same problem with that account as the service account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Events
    ... ADAM SACLs can only be set with code. ... >>I want to enable security audting for ADAM. ... What privledges must I give to the service account? ...
    (microsoft.public.windows.server.active_directory)