Remote Script Execution initiated by Nagios Access Denied
Hi, I am trying to create a powershell script (script 1) set up on our Support Server to execute a Remote Script on a Remote Server (script 2) to Restart a service. Simple - The script works fine when i execute it manually but fails when I try and use Nagios
to call the Script using NRPE.
Script 1 Contains (I have cut out all the Nagios inspired stuff)
invoke-command -computer ws05 -command { & 'C:\Program Files\NSClient++\scripts\script2.ps1' }
SendEmail
Script 2 Contains
Stop-Service spooler
Nagios is successfully executing Scrip 1 as I get the confirmation email
Nagios itself returns [ws05] Connecting to remote server failed with the following error message : Ac
I'm assuming its a Permission issue but cant see how it works when executed manually but not when Executed via Nagios. My Only thought is the fact that the original call is from Nagios which is a Linux based None Domain server.
Any Thoughts Appreciated
Carl
Powershell is not supported on Unix.
¯\_(ツ)_/¯
Similar Messages
-
Hello.
I would like to know how to run a script on a remote Linux machine. Can I do this without caring where the local JVM is running?
I haven't done this before, and have searched various places for a concise answer. I have not been successful. Will something like the following work: Runtime.exec("remote.machine\remote.script.sh");. I have also noticed that my searches seem to lead me to discussions of Java RMI, so in thinking RMI has something to say about what I'm doing, I have posted my question here.
Background: I have a java application (a web service in fact) that needs to get information from a back-end system to do its job. It needs to invoke a script that's running on a remote host where the coveted business system resides.
The Runtime.exec() method appears only to run processes on local machines. From the research I have done, the usual fudge here is to know the operating system of the local machine so you might be able to use its remote process execution facilities. However, I don't want to know anything about the local OS, because it could be different between development, testing, and production. I know that the remote OS is Linux.
Is there any way I can get a process to run on a remote machine without having to know about the local machine's OS?
Many thanks in reply,
Owen.You need obviously the remote system to support this through some facility like remote shell (rsh) or secure shell (ssh). so it depends on how that remote Linux system is set up and what access (userid) you can get for it.
Are you granted some access to that remote Linux machine?
If yes, what kind of? -
SOLVED: powershell script working on its own, access denied when called from a service
Hi powershell experts,
I'm using a powershell script, called by a service with serviceaccount PWSService, which gives an exception denied. This powershell script sets up a remote powershell connection(with a specific account), and runs some powershell scripts remotely on
that server.
When I launch the powershell script manually, by opening the powershell console myself(with "run as" PWSService), the remote session starts and I'm able to succesfully run commands through it.
The PWSService is local admin on the server.
Is there any diffrence in behaviour when powershell scripts are started by a service or started as a "user"? Can someone shed a light on this?
Thanks in advance,
Robin
MCTS, MCPDhi mjolinor,
We use the following class for the service(Microsoft
live@edu connector):
http://msdn.microsoft.com/en-us/library/system.management.automation.runspaces.wsmanconnectioninfo%28v=vs.85%29.aspx
I use Enter-PSSession to start the commands in de powershell console which works.
MCPD -
Access denied listing with cfdirectory when remote
Hello people, I working with cfdirectory to verify the contents of a local directory (this is for an intranet running on a mac). It works ok when I trest it in the local environment but it fails when I run the script from the remote server.
I'm a bit lost here. Is something I need to modify at the local server or the remote server? Is the local server not allowing access to the remote script or the remote server doesn't want to access a local machine due to security issues?
Thsnkd in advance.
DaniIan, thanks for your answer. This brings a problem...unless I can bypass it by calling a script on my local server, at least to perform cfdirectory operations...
I'm trying to do the following:
When a supplier approves a job, my client changes the status of that job to approved. When that happens, the application should be able to;
1) List the files related to that job (cfdirectory)
2) Zip those files (cfzip)
3) Upload those files to the ftp (cfftp)
But since the files are stored locally (huge graphic files), I'm stuck with the "access denied" situation.
Anyway, thanks so much Ian for clarifying this to me.
Dani Szwarc -
I keep getting this error in Dreamweaver when I am trying to upload my website? Can you tell me what I am doing wrong? here is the error message: /html - error occurred - Unable to create remote folder /html. Access denied. The file may not exist, or there could be a permission problem. Make sure you have proper authorization on the server and the server is properly configured. File activity incomplete. 1 file(s) or folder(s) were not completed. Files with errors: 1 /html
Nobody can tell you anything without knowing exact site and server specs, but I would suspect that naming the folder "html" wasn't the brightest of ideas, since that's usually a default (invisible) folder name existing somewhere on the server and the user not having privileges to overwrite it.
Mylenium -
Execution of remote script in File Adapter OS Command
Hello.
I'm having issues with a remote script placed on a file adapter which fails to execute in a clustered PI (Version 7.1), running on Windows 2008.
Our current setup is as follows.
- Machine A and Machine B make up a SAP PI Cluster node.
- Machine C is our network file share, used as a sandbox for receiving and sending files.
One given scenario would be having the Cluster picking up a file from a FTP folder (Machine D) and copying it over to a given location in Machine C. This is working without problems in the cluster environment.
Now, a very specific scenario requires that after copying the file (to folder INPUT), a given script shall be executed over the received file and decide which folder should that file be archived, TO_PROCESS or NO_PROCESS folders.
So, Outbound Channel is reading from the FTP, Inbound Channel stores in Machine C and has to run a script after message processing.
The problem here is that the script is stored also in Machine C, so placing the OS Command should refer to a shared path:
Example:
sap-machine-c.gca.ad.root\InboundFiles\INPUT
sap-machine-c.gca.ad.root\InboundFiles\TO_PROCESS
sap-machine-c.gca.ad.root\InboundFiles\NO_PROCESS
sap-machine-c.gca.ad.root\Scripts\procFile.bat
If I give the command of "
sap-machine-c.gca.ad.root\Scripts\procFile.bat %F" on the receiver channel, checking RWB, Communication channel says the command was executed with success but the file doesn't leave the INPUT folder.
The script is know to execute with success from both instances, I have logged into each one of them and executed with RFCUSER in SE38 w/transaction RSBDCOS0.
I have tried to replicate this issue, reducing even the procFile.bat script to just do an "echo" command but still doesn't work (RWB PI says it does).
It seems to me that executing scripts from remote shares is a no go? Does anyone have a previous experience dealing with these cases?
Thanks,
RomeuHi all.
After taking some hints from this thread, we have found out that the problem lied some where in the installation part of PI.
We've set up a basic script, local and not remote, and still the system would not execute that command.
The RWB logs showed successful processing but the Application Server logs were full of errors and stack traces regarding the execution of any command. A support note was raised with SAP support in order to trace these errors.
I'm therefore closing this question as the original question is not related with remote scripting.
Thanks all for your help.
Best regards,
Romeu -
Access denied for Association form and Initiation Form in SharePoint 2013 Workflows VS2012
Hi,
We created one simple Sharepoint 2013 approval workflow that has custom association and initiation forms. The workflows works when the workflow is created by the site owner. But when a user with edit permissions try to start a workflow
or associate a new workflow we get Access Denied error message. I believe this permission is somthing todo withthe workflow list wfsvc where these association form and initiation forms reside. What else could be missing here?how do i check permission on the
wfsvc list. please help. User also have create and edit permission on the workflow history and workflow task lists.
Thank youIf it works with Full control permission then there is something on the site which is causing this issue.
Try to collect HTTPwatch or fiddler trace to check more details.
Also You need to enable Verbose logging to check details. If possible paste the verbose logging in the comments. -
Remote Powershell - Access Denied? Windows 8.1
I want to be able to connect to my PC from anywhere around the world. Don't ask why. As such I have forwarded my private IP :192.168.... to my public
IP (ports : 22,23, 3389,5975,5976). Of course my public IP changes constantly so i also have a DNS Updater with a name : nameofmyhost.somehing.com .
I have been able to connect using Remote Desktop connection from my phone, tablet, other PC's, using that nameofmyhost.somehing.com.
However this is a desktop connection. I want a command connection as well (Powershell), no Telnet, and no SSH. I have configured WinRm, and tried powershell
remoting using enter-pssesion nameohmyhost.somehing.com. Problem is that it's always Access Denied.
I want to be able to connect remotely via powershell to my PC at any times.
Yes i did quickconfig the winrm, i did add to TrustedHosts, but i still can't connect. Someone please tell me if what i am trying is even possible,
and if it is, please give me a COMPLETE TUTORIAL FOR DUMMIES on how to make it happen.
ThanksYou can verify the availability of WinRM and configure a PowerShell for remoting by following these steps:
1. Start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator.
2. The WinRM service is confi gured for manual startup by default. You must change the startup type to Automatic and start the service on each computer you want to work with. At the PowerShell prompt, you can verify that the WinRM service is
running using the following command:
get-service winrm
The value of the Status property in the output should be “Running”.
3. To configure Windows PowerShell for remoting, type the following command:
Enable-PSRemoting –force
In many cases, you will be able to work with remote computers in other domains. However, if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the
remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
Here, RemoteComputer should be the name of the remote computer, such as:
winrm s winrm/config/client '@{TrustedHosts="CorpServer56"}'
When you are working with computers in workgroups or homegroups, you must either use HTTPS as the transport or add the remote machine to the TrustedHosts configuration settings. If you cannot connect to a remote host, verify that the service on the remote host
is running and is accepting requests by running the following command on the remote host:
winrm quickconfig
This command analyzes and configures the WinRM service.
To use Windows PowerShell remoting features, you must start Windows PowerShell as an administrator by right-clicking the Windows PowerShell shortcut and selecting Run As Administrator. When starting PowerShell from another program, such as the command prompt
(cmd.exe), you must start that program as an administrator
From W. Stanek: Windows PowerShell 2.0 Administrator’s Pocket Consultant -
Hi
Still learning PowerShell remoting.
Can access with remoting 2 computers (XPProf/SP3, Workgroup) perfect. Powershell2.0 (running as Administrator).
Using Firewall ZoneAlarm not Windows Firewall (stopped).
But when using Get-WMIObject always run into
"rpc server is unavailable" in one direction and "Access denied" in the other direction.
Searched the forum but didnt find infos.
Switched off Firewalls: Still the same.
So I'm stuck.
Any help is appreciated.
BeatYo encontré estas recomendaciones que me sirvieron para poder consultar el servidor remoto.
http://www.poweradmin.com/help/enablewmi.aspx
Allow WMI through Windows firewall
All users (including non-administrators) are able to query/read WMI data on the local computer.
For reading WMI data on a remote server, a connection needs to be made from your management computer (where our monitoring software is installed) to the server that you're monitoring (the target server). If the target server is running Windows Firewall (aka
Internet Connection Firewall) like what is shipped with Windows XP and Windows 2003, then you need to tell it to let remote WMI requests through<sup style="margin:0px;padding:0px;list-style:none;">2</sup>. This can only be done at the
command prompt. Run the following on the target computer if it is running a Windows firewall:
netsh firewall set service RemoteAdmin enable
Como segunda opcion tambien se puede modificar el group policy y especificar que ips tendran acceso a consultar el WMI remotamente.
https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx
Using Group Policy
To enable or disable the Remote administration exception
Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.
Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows
Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.
In the details pane, double-click Windows Firewall: Allow remote administration exception.
In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled or Disabled.
Saludos -
Get-VHD failing with access denied when querying remote VHDs on SMB 3.0 shares
I'm out of ideas on this one. I'm attempting to do a Get-VHD to retrieve VHD info for some Guests that are using SMB 3.0 shares to remotely store their VHDs and I cannot remotely run the powershell command at all without getting Error: 'General Access
denied error' (0x80070005)'. Command running locally on the machine hosting the guest works fine.
Here is the Hyper-V Setup - Host is Server 2012 datacenter, guests are 2012 or 2008 R2 boxes. Storage server is Server 2012, domain is 2008 R2 functionality level if it matters, powershell version 3.0
Host1 --> Guest(1) --> {LAN}--> StorageServer --> Share --> VHD
Make sense? pretty easy, normal setup. The Host has full access NTFS rights on the share and all files, including the VHDs. As does my AD account. All on the same domain. If I RDP into Host1 I can retrieve everything just fine. However, the following methods
will not work to retrieve VHD info of any Guest running on their VHDs off the share (get-vhd works if Guests have their VHDs on locally attached storage).
1.) Enter-PsSession Host1 and then attempt get-vhd
2.) Invoke-Command
3.) import module/hyper-v management tools on client then running get-vhd
4.) Executing GetVirtualHardDiskInfo method in WMI (http://msdn.microsoft.com/en-us/library/cc136797%28VS.85%29.aspx) to retrieve the job which results in same error message.
5.) Even attempting test-path $pathToVHD on the host will result in Access Denied error.
If I check the storage server hosting the VHDs I see some normal access requests come across on my Domain account followed a few seconds later by a null sid/anonymous requests which of course are denied. I have no idea why on earth they are coming across
as null SIDs/anonymous requests but this seems to be the root of the issue. Is it trying to regenerate my credentials or something to access the VHD and failing? If so, is there a way to fix it?Yeah I thought about that too and that isn't the problem in this particular case (also PSSession takes care of the RSAT/HyperV problem). If it was Scenario #1 wouldn't work and scenario #4 would.
Again, this works fine:
Scenario #1 (works)
1.) Remote computer running PS 3.0 (win 7 desktop in this case) enter-pssession Host1
2.) Get-VHD $VHDOnLocalDirectAttachedStorage (Host1 is running guest)
Scenario #2 (works)
1.) RDP to Host1
2.) Get-VHD $VHDOnSMBShare (host1 is running guest)
Scenario #3 (breaks)
1.) On remote computer enter-pssession Host1
2.) Get-VHD $VHDOnSMBShare (host1 is running guest)
Scenario #4 (breaks):
1.) RDP to Host2 server 2012 running Hyper-v with RSAT installed
2.) Get-VHD $VHDOnSMBShare -ComputerName RemoteHost
Scenario #5 (works):
1.) Enter-Psession Host2
2.) Get-VHD $VHDOnHost1LocalStorage -ComputerName Host1 -
Remote shutdown Access Denied (5)
I have a computer that I want to shutdown remotely via command line (the shutdown -i), and if I have "password enable sharing" turned on I get access denied(5) but if that is turned off it works fine.
How can I get this working again?
I have read that I may need to create a user account with the same username and password of the account on this computer I wish to shutdown, but I have tried this and it does not work, plus having a extra account on either computer is kind of annoying,
isn't there a way I can do it without having the same user account on my two PCs? Maybe like just using the username and password of the remote computer directly without actually having that account created on my PC?I am using this solution on a home Workgroup network. Solution works for shutdown.exe and psshutdown.exe It works for Windows 8 and should work for Windows 7.
The problem is access is denied when attempting a remote shutdown using the interactive mode or the following command:
shutdown.exe /s /m \\COMPUTERNAME /t 00
Result:
COMPUTERNAME: Access is denied.(5)
CHANGE THE FOLLOWING SETTINGS ON THE REMOTE COMPUTER:
Control Panel, Network and Sharing Center, Change Advanced Sharing settings
"Private" enable "Turn on File and Printer sharing"
Add Registry Key
RUN regedt32.exe
Goto:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Right click and add new DWORD
"LocalAccountTokenFilterPolicy"=dword:00000001
When user name and password are not the same on both computers change the following on the remote computer:
Change Local Security Policy
RUN secpol.msc
Local Security Policy, Security Settings, Local Policies, User Rights Assignment
Add "Everyone" to "Force shutdown from a remote system"
Texas -
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
Can some one help me to download below Security patches which i am not able to download from MS Web site?
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)Microsoft Releases KB3024777 Update to Fix Botched KB3004394 Patch
http://news.softpedia.com/news/Microsoft-Releases-KB3024777-Update-to-Fix-Botched-KB3004394-Patch-46...
Windows 7 Pro SP1 (64-bit), avast! V7 Free, MBAM Pro, Windows Firewall, EMET, OpenDNS Family Shield, IE9 & Firefox (both using WOT & KeyScrambler), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS, SAS (on-demand scanner), Secunia PSI.
[I am experimenting with Sandboxie, and believe computer-users who sandbox are acting prudently.] -
Office 2013 C2R - Access denied to installation source from workgroup PC (Error Code 5-4 and 17002)
I have set up Office 2013 Home and Business on a network share using the Office Deployment Tool.
Domain members can install Office 2013 with no problems using the command line
\\Server\share\Office2013\setup.exe /configure
\\Server\share\Office2013\configuration-home-and-biz.xml
However, if the PC is not a member of the domain I get an Access Denied message, even though "everyone" has full control of the share and NTFS files and subfolders
The full message is as follows,
Access denied to installation source
Sorry, we ran into a problem accessing a required file. Please check that the installation source has correct permissions, the try again.
Go online for additional help
Error Code: 5-4
As soon as I join the PC to the domain the installation works but I would like to pre-install Office as part of an MDT Task Sequence before the PC joins the domain.
Does anyone know how I can make this work?
The Office setup log shows a different error code
03/05/2014 16:23:24.834 SETUP (0xe38) 0xec0 Click-To-Run apx75 Monitorable TryLaunchClient::HandleStateAction: C2R Client returned failing error code 17002
FYI: My config xml file contains the following
<Configuration> <Add SourcePath="\\Server\share\Office2013\" OfficeClientEdition="32" > <Product ID="HomeBusinessRetail"> <Language ID="en-us" /> </Product> </Add> <Updates Enabled="TRUE" UpdatePath="\\Server\share\Office2013\" /> <Display Level="Full" AcceptEULA="TRUE" /> <!-- <Display Level="None" AcceptEULA="TRUE" /> --> <Logging Name="OfficeSetup-*.txt" Path="%temp%" /> <Property Name="AUTOACTIVATE" Value="0" /></Configuration>
Thom McKiernan (UK) @thommck | thommck.wordpress.com | MCSA | MCTSC2R editions of Office, during the installation routine, will initially commence execution in the security context of the logged in user, but partway through the installation routine the installation transitions into the security context of the local computer
account. This means that unless the computer account also has network access permissions to the installation source folder/share, the installation routine will fail.
http://technet.microsoft.com/en-us/library/jj219423(v=office.15).aspx#PrepareDeploy
Important:
The computer account for the computer on which you install Click-to-Run for Office 365 products must have read permission to the network share that contains the Office Deployment Tool, the customized Configuration.xml file, and the Click-to-Run for Office
365 product and language files. If you cannot give read permission to the computer account, you can copy the files down to the computer from the network share, and then run Setup from the computer. After the installation is complete, you can delete those files
from the computer.
To workaround this, your installation script routine can copy the installation source files from the server folder/share to a local folder on the computer, then launch the setup routine from that local source.
In your example scenario, the workgroup computer (because it is not a member of "DOMAIN\Authenticated Users" does not have access permissions to the server folder/share.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
EFS operations occur on the computer storing the files.
EFS files are decrypted then transmitted in plaintext to the client's computer
This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
2) SOLVE by setting up WebDAV (efs files accessed through web folders)
EFS operations occur on the client's local computer
EFS files remain encrypted during transmission to the client's local computer where it is decrypted
This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
a) START ... CMD
b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
1 click START and type "Turn Windows Features On or Off" and open the link
a) scroll down to "Internet Information Services" and expand it.
b) put a tick in: "Web Management Tools" \ "IIS Management Console"
c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
f) click ok
g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
a) on the "Anonymous Authentication" and click "Disable"
b) on the "Windows Authentication" and click "Enable"
NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
It can be by changing registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
BasicAuthLevel=2
c) on the "Windows Authentication" click "Advanced Settings"
set Extended Protection to "Required"
NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
a) on the right side, under Actions, click "Add Allow Rule"
b) set this to "all users". This will control who can view the "Default Site" through a web browser
NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
a) on the right side, under Actions, click "Edit Feature Settings"
b) tick the box "Allow double escaping"
*THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
a) set the Alias to something sensible eg "D_Drive", set the physical path
b) it is essential you click "connect as" and set
this to a local user (on fileserver),
if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
NB: the user account selected here must have the required EFS certificates installed.
See
here and
here
NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
The work around is on the \\fileserver create an NTFS symbollic link
e.g. to share the entire contents of "D:\",
on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
in cmd in this folder create an NTFS symbolic link to "D:\"
so in cmd type "cd c:\inetpub\wwwroot"
then in cmd type "mklink /D D_Drive D:\"
NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
b) if some exist review existing allow or deny.
Take care to not only review the "allow access to" settings
but also review "permissions" (read/write/source)
NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
a) On Windows 7 you need only change one tiny registry value:
- click START, type "regedit", open link
-browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
-on the EDIT menu click NEW, then click DWORD Value
-Type "DisableEFSOnWebDav" to name it (no speech marks)
-on the EDIT menu, click MODIFY, type 1, then click OK
-You MUST now restart this computer for the registry change to take effect.
b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
It should show the default "IIS7" image.
If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
e.g. http://localhost/D_drive
If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
a) make sure WebClient Service is running
(click START, type "services" and open, scroll down to WebClient and check its status)
b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
eg if your server's computer name is "fileserver" go to "http://fileserver:80"
It should show the default "IIS7" image. If not, check firewall and port blocking.
Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
a) click the "Connections" tab at the top
b) click the "LAN Settings" button at the bottom right
c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
a) click START, type "regedit", open link
b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
c) click on "FileSizeLimitInBytes"
d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
a) click on "Security" (top) and then "Custom level" (bottom)
b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
SUCH an easy fix. SUCH an annoying problem on a clientpc
NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
e.g. CMD: net use * "http://fileserver:80/C_drive"
If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
a) On a clientpc, map network drive to http://fileserver/
b) navigate to a folder you know on the \\flieserver is encrypted with EFS
c) create a new folder, create a new file.
IF it throws an error, check carefully you mapped to the WebDAV and not file share
i.e. mapped to "http://fileserver" not "\\fileserver"
Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
a) see the last comment at the very bottom of
this page:
Points to consider:
- NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
It is implimented above, see (11) above
Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
This one took me a long time to track down to "network location".
Win 7 uses network locations "Home" / "Work" / "Public".
If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
FIX = either set IP address manually and specify a gateway
FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?
-
I'm following a tutorial and I can't get it to work.
public class SaySomethingImpl extends UnicastRemoteObject implements SaySomething {
private static final long serialVersionUID = 1L;
private String name;
public SaySomethingImpl(String str) throws RemoteException {
super();
name = str;
public String talkToMe() throws RemoteException {
return "Far and Away!";
* @param args
public static void main(String[] args) {
System.setSecurityManager(new RMISecurityManager());
try {
SaySomethingImpl theObj = new SaySomethingImpl("remoteserver");
Naming.rebind("//home-ilan/remoteserver", theObj);
System.out.println("SaySomethingServer bound in registry");
catch(Exception e) {
System.out.println(e.getMessage());
}I'm running it initially talking to myself over the network. I've shared out the source directory as \\home-ilan\remoteserver. I've given it read/write access.
Then I ran a batch file containing:
F:\eclipse\jre\bin>start rmiregistry
F:\eclipse\jre\bin>java -Djava.rmi.server.codebase=http://home-ilan/remoteserver/ remote.server.SayHelloImpl
Exception in thread "main" java.lang.NoClassDefFoundError: remote/server/SayHelloImpl
Not understanding the meaning of the exception, I decided to run the file under the development environment. It generates an exception at:
Naming.rebind("//home-ilan/remoteserver", theObj);
telling me:
access denied (java.net.SocketPermission home-ilan resolve)
Since this is my first attempt, I don't have any experience to know what could be wrong.
In the long run, I want to have an application on the client end access a database on the server end. I want to server to do the query and return the results to the client. (The tutorial shows an applet, but that I will replace with an application so as to avoid security problems.)
Can anyone tell me what I'm missing?
Thanks,
IlanHi Ilan,
It looks like a combination of problems here.
For a good rmi tutorial, you can consult
http://java.sun.com/docs/books/tutorial/rmi/
It's a bit long, but very useful.
I can also see you use eclipse. Did you try the "ready to use" rmi examples
of the RMI Plugin for Eclipse (http://www.genady.net/rmi/v20/) ?
Your first problem seems to be an incorrectly defined codebase.
It looks like you are trying to use the HTTP protocol to access a windows share.
You should use the file:/ protocol for such shares.
The second problem looks like a security policy problem (ejp - correct me again if I'm wrong...) Since you've installed a security manager you should define a security policy. See the RMI tutorial link (the last step of tutorial) for more info.
Genady
Maybe you are looking for
-
My Presario CQ60-419WM sound card needes to be upgraded, Is it possible or do I just need to get a new laptop? Thanks for your input. :-)<script type="text/javascript">// /******************************************************** This Script will be
-
Video Conferencing Application Help
hi all, i am planning to devlop a n-user video+audio conference in LAN. what i plan is having a server,and all user logged in will send stream to server and recieve stream from server.Is this approach can be done and more importantly is this the way
-
HT3529 my imessage isnt working, any ideas?
My imessage is not working, it wont activate. Any ideas?
-
To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed
Hi, I have this message on almsot all sites ( sites of videos or cam): To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed. I have the last version 11 8 800 94. I have try to uninstall and reinstall but its change
-
Hi there. Wondering if you guys can help. Downloaded demo of Director 11 and it looks cool! I need to create a 3d simulation of a radiotherapy machine. It will be a simple set of 3d models which simulate the treatment bed and the machine itself. I ne