Security : Unquoted Service Path for ZESService.exe
Hi from Paris,
The security officer send me an alerte regarding the service ZESService.exe
The device has the service ZESService.exe installed unsing an unquoted service path, which contains at
least one whitespace : C:\Program Files (x86)\Novell\ZENworks\esm\ZESService.exe
The risk is knowned as high.
Do you know if there is a TID or something planed for this ?
This would be the case for ANY service entry with a space in the path. The call we make to Service Manager is generic, so all services would be susceptible to this. We're looking at a way to modify the API call to include the escape quotes.
Similar Messages
-
Microsoft Windows Unquoted Service Path Enumeration.
I seek for your advice in a security issue and how to mitigate this high risk vulnerability.
Microsoft Windows Unquoted Service Path Enumeration.
Microsoft Windows Unquoted Service Path EnumerationMicrosoft Windows Unquoted Service Path Enumeration
Synopsis
The remote Windows host has at least one service installed that uses an unquoted service path.
Description
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could
gain elevated privileges by inserting an executable file in the path of the affected service.As long as we are piling on late responses, here is the script one of our talented SCCM engineers wrote to fix affected systems. The first code snippet is used in SCCM 2007 to fix clients. Further down are the detection and remediation scripts
used in SCCM 2012 as part of Desired Configuration Management (DCM).
Const HKEY_LOCAL_MACHINE = &H80000002
const REGKEYPATH = "System\CurrentControlSet\Services\"
Dim arrValues, Results, arrReturn()
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
For Each objService in objListOfServices
Results = ReadRegExpandStr (HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",32)
' Results = ReadRegStr(HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",32)
Results = Chr(34) & Replace(Results,".exe",".exe" & Chr(34),1,1,1)
Wscript.Echo objService.name & " ; " & Results
SetRegExpandStr HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",Results,32
Next
'Reads a REG_EXPAND_SZ value from the local computer's registry using WMI
Function ReadRegExpandStr (RootKey, Key, ValueName, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer,strValue
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
Set oOutParams = oReg.ExecMethod_("GetExpandedStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegExpandStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegExpandStr = Cstr(oOutParams.sValue)
End If
End Function
'Creates a REG_EXPAND_SZ value in the local computer's registry using WMI
Function SetRegExpandStr (RootKey, Key, ValueName, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("SetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
oInParams.sValue = Value
Set oOutParams = oReg.ExecMethod_("SetExpandedStringValue", oInParams, , oCtx)
End function
'Reads a REG_SZ value from the local computer's registry using WMI
Function ReadRegStr (RootKey, Key, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer="."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetStringValue").InParameters
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = Value
Set oOutParams = oReg.ExecMethod_("GetStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegStr = Cstr(oOutParams.sValue)
End If
End Function
SCCM 2012 DCM - Detection of unquoted services
Dim strComputer, objWMIService, objListOfServices
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
If objListOfServices.Count = 0 Then
WScript.Echo "No unquoted service path was found"
Else
Wscript.Echo "Found an unquoted Service Path"
End If
SCCM 2012 DCM remediation script
Const HKEY_LOCAL_MACHINE = &H80000002
const REGKEYPATH = "System\CurrentControlSet\Services\"
Dim arrValues, Results, arrReturn(), sArgString
Set objArgs = WScript.Arguments
If objArgs.count > 0 then
sArgString = wscript.arguments(0)
If sArgString = "failed" Then
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objSystemItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objItem in objSystemItems
strSystemType = objItem.SystemType
Next
If strSystemType = "X86-based PC" then
i = 32
Else
i = 64
End If
Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
For Each objService in objListOfServices
Results = ReadRegExpandStr (HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",i)
' Results = ReadRegStr(HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",i)
Results = Chr(34) & Replace(Results,".exe",".exe" & Chr(34),1,1,1)
Wscript.Echo objService.name & " ; " & Results & vbcrlf
' SetRegExpandStr HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",Results,i
Next
End If
End If
'Reads a REG_EXPAND_SZ value from the local computer's registry using WMI
Function ReadRegExpandStr (RootKey, Key, ValueName, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer,strValue
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
Set oOutParams = oReg.ExecMethod_("GetExpandedStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegExpandStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegExpandStr = Cstr(oOutParams.sValue)
End If
End Function
'Creates a REG_EXPAND_SZ value in the local computer's registry using WMI
Function SetRegExpandStr (RootKey, Key, ValueName, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("SetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
oInParams.sValue = Value
Set oOutParams = oReg.ExecMethod_("SetExpandedStringValue", oInParams, , oCtx)
End function
'Reads a REG_SZ value from the local computer's registry using WMI
Function ReadRegStr (RootKey, Key, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer="."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetStringValue").InParameters
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = Value
Set oOutParams = oReg.ExecMethod_("GetStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegStr = Cstr(oOutParams.sValue)
End If
End Function -
Search c:\ drive and return file path for winword.exe and save as variable
Hi all, here is what I'm trying to do;
1. Search C:\ drive for winword.exe
2. take the file path and save it as a variable.
3. Then based on the path value, use the switch statement to run "some command"
Essentially I'm trying to find what the file path for winword.exe is, then run a command to modify the registry. I already have the script that will modify the registry like I want but the problem it, the path is hard coded in the script, I want to
now look for all versions of word and set the right file path so I can make the right registry changes.This should get you started:
http://ss64.com/ps/get-childitem.html
Don't retire TechNet! -
(Don't give up yet - 13,085+ strong and growing) -
Problem for web service path for Xcelsius engage in flash object
Hi, All
I had created one xcelsius through Web Service of SAP B1.it works well.
but when I run the flash object came from xcelsius by explorer,it gives one message
"Can not access external data"
thier I have to give path for swf file and web service path -- (which is given at the time of connection of xcelsius through web service in data manager)
and I have to run the web service then it shows
the dash board made from Xcelsius very well.
but when i change the path of same web service to other m/c then flash file does work and it gives message
"Can not access external data"
but in practical my web service path can be changed, it should not fixed for path which is given in data manager in Xcelsius.
I am using Xcelsius Engage 2008 sp3
please give suggetions for solve the problem
thanks in advanceHi Venky CRMIT, Bruce007
Aside from the question, I tried another methods and I have succeeded calling webservice. A reference URL is
http://www.webbasedcrmsoftware.com.au/crm-on-demand-tutorials/65-java-access-to-crm-on-demand#_Toc224720963
Main cause may be jsessionID as you guess. When I try with EAI, I have send login information and message call at once, so URL may be incorrect.
Thank you for your help. -
Create a Secure Client for a Secure Web Service- is failing
Hi,
This is actually with reference to the webservice tutorial.I am trying the example on Create a Secure Client for a Secure Web Service and have followed all the steps mentioned,however I am getting the following error:
D:\JDev11gTp\jdk\bin\javaw.exe -client -classpath D:\Jdev11gTpInstance\mywork\WebServiceApplications\.adf;D:\Jdev11gTpInstance\mywork\WebServiceApplications\WebServiceProjects\classes;D:\JDev11gTp\webservices\lib\jaxws-api.jar;D:\JDev11gTp\webservices\lib\jws-api.jar;D:\JDev11gTp\webservices\lib\orawsmetadata.jar;D:\JDev11gTp\webservices\lib\wsclient.jar;D:\JDev11gTp\j2ee\home\lib\activation.jar;D:\JDev11gTp\j2ee\home\lib\ejb.jar;D:\JDev11gTp\j2ee\home\lib\jms.jar;D:\JDev11gTp\j2ee\home\lib\jta.jar;D:\JDev11gTp\j2ee\home\lib\mail.jar;D:\JDev11gTp\j2ee\home\lib\servlet.jar;D:\JDev11gTp\webservices\lib\jaxrpc-api.jar;D:\JDev11gTp\webservices\lib\wsserver.jar;D:\JDev11gTp\webservices\lib\wssecurity.jar;D:\JDev11gTp\webservices\lib\wsdl.jar;D:\JDev11gTp\webservices\lib\orasaaj.jar;D:\JDev11gTp\webservices\lib\saaj-api.jar;D:\JDev11gTp\webservices\lib\orawsdl.jar;D:\JDev11gTp\webservices\lib\orawsrm.jar;D:\JDev11gTp\webservices\lib\orawsrel.jar;D:\JDev11gTp\webservices\lib\jaxr-api.jar;D:\JDev11gTp\webservices\lib\orajaxr.jar;D:\JDev11gTp\webservices\lib\relaxngDatatype.jar;D:\JDev11gTp\webservices\lib\xsdlib.jar;D:\JDev11gTp\webservices\lib\mdds.jar;D:\JDev11gTp\webservices\lib\wsif.jar;D:\JDev11gTp\webservices\lib\fabric-common.jar;D:\JDev11gTp\webservices\lib\fabric-interceptors.jar;D:\JDev11gTp\jlib\jaxen.jar;D:\JDev11gTp\jlib\oraclepki.jar;D:\JDev11gTp\jlib\ojpse.jar;D:\JDev11gTp\jlib\jsr106.jar;D:\JDev11gTp\jlib\jsr105.jar;D:\JDev11gTp\jlib\osdt_xmlsec_jce.jar;D:\JDev11gTp\jlib\osdt_wss_jce.jar;D:\JDev11gTp\jlib\osdt_saml_jce.jar;D:\JDev11gTp\jlib\osdt_saml2_jce.jar;D:\JDev11gTp\jlib\osdt_core.jar;D:\JDev11gTp\jlib\osdt_cert.jar;D:\JDev11gTp\jlib\osdt_xmlsec.jar;D:\JDev11gTp\jlib\osdt_wss.jar;D:\JDev11gTp\jlib\osdt_saml.jar;D:\JDev11gTp\jlib\osdt_saml2.jar;D:\JDev11gTp\jlib\ojmisc.jar;D:\JDev11gTp\j2ee\home\lib\http_client.jar;D:\JDev11gTp\j2ee\home\jazncore.jar;D:\JDev11gTp\j2ee\home\oc4jclient.jar;D:\JDev11gTp\rdbms\jlib\xdb.jar;D:\JDev11gTp\j2ee\home\lib\javax77.jar;D:\JDev11gTp\lib\java\api\jsr173_api.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb-impl.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb-xjc.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb1-impl.jar;D:\JDev11gTp\j2ee\home\lib\oc4j-schemas.jar;D:\JDev11gTp\jlib\ojdl.jar;D:\JDev11gTp\jlib\ojdl2.jar;D:\JDev11gTp\jlib\fmw_audit.jar;D:\JDev11gTp\j2ee\home\lib\jmxri.jar;D:\JDev11gTp\j2ee\home\lib\jmx_remote_api.jar;D:\JDev11gTp\j2ee\home\lib\adminclient.jar;D:\JDev11gTp\j2ee\home\lib\jmxframework.jar;D:\JDev11gTp\j2ee\home\lib\jmxspi.jar;D:\JDev11gTp\j2ee\home\lib\xmlcfg.jar;D:\JDev11gTp\jlib\dms.jar;D:\JDev11gTp\jlib\orai18n.jar;D:\JDev11gTp\j2ee\home\lib\commons-digester.jar;D:\JDev11gTp\j2ee\home\lib\spring.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-policy-core.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-pmclient.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-pap.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-agent.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-secpol.jar;D:\JDev11gTp\lib\java\shared\oracle.javatools\11.1.1.0.0\javamodel-rt.jar;D:\JDev11gTp\lib\java\shared\oracle.javatools\11.1.1.0.0\javatools-nodeps.jar;D:\JDev11gTp\lib\java\shared\oracle.toplink\11.1.1.0.0\toplink-sdo.jar;D:\JDev11gTp\lib\java\api\jaxb-api.jar;D:\JDev11gTp\lib\xmlparserv2.jar;D:\JDev11gTp\lib\xml.jar;D:\JDev11gTp\jakarta-taglibs\commons-logging-1.0.3\commons-logging.jar -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8099 -Dhttp.nonProxyHosts= -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8099 -Dhttps.nonProxyHosts= HelloPolicyPortClient
Feb 1, 2008 5:13:43 PM oracle.j2ee.ws.common.context.ContextInterceptor init
INFO: Context provider properties file not found
Feb 1, 2008 5:13:44 PM oracle.wsm.audit.Auditor <init>
INFO: Created J2SE auditor for componentType=OWSM-AGENT busstop=D:\oracle\product\10.2.0\client_1\auditlogs\OWSM-AGENT filter=false auditor=oracle.security.audit.Auditor@143a083
Feb 1, 2008 5:13:44 PM oracle.wsm.audit.Auditor <init>
INFO: Created J2SE auditor for componentType=OWSM-PM-LIB busstop=D:\oracle\product\10.2.0\client_1\auditlogs\OWSM-PM-LIB filter=false auditor=oracle.security.audit.Auditor@15af049
SEVERE: WSM-04514 An MDS error occurred.
SEVERE: WSM-09012 No key, WSM-06002, was found in the resource bundle oracle.wsm.resources.policyvalidation.PolicyValidationMessageBundle.
javax.xml.ws.WebServiceException: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06002 PolicyReference Invalid policy reference
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:466)
at oracle.j2ee.ws.client.jaxws.WsClientProxyInvocationHandler.invoke(WsClientProxyInvocationHandler.java:204)
at $Proxy28.sayHello(Unknown Source)
at HelloPolicyPortClient.main(HelloPolicyPortClient.java:35)
Caused by: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06002 PolicyReference Invalid policy reference
at oracle.integration.platform.common.InterceptorChainImpl.createPolicyEnforcementException(InterceptorChainImpl.java:217)
at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:104)
at oracle.j2ee.ws.client.mgmt.runtime.SuperClientInterceptorPipeline.handleRequest(SuperClientInterceptorPipeline.java:91)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.handleRequest(DispatchImpl.java:309)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.handleRequest(DispatchImpl.java:290)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:444)
... 3 more
Process exited with exit code 0.
Can anyone please give any clue as to why this error is coming?
Thanks.Hi
Please refer to this thread
Re: Can I create a login/password protection in Muse for a HTML5 page or two? -
Best Practice for Securing Web Services in the BPEL Workflow
What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
Secured web service for secured AM method
Hello,
I need to invoke method of secured Application Module (jbo.security.enforce = Must) from secured web service.
I have a simple java class with Configuration.createRootApplicationModule ... and a web service built for this java class.
I found I have to authentificate users twice. First time when invoking web service (this is ok) and second time when creating application module instance.
The problem is I can get name of user logged in web service but I cannot get his password. So I cannot login to application module with the same user.
How can I force adf business components to use user authentificated in web service to use him/her as adf bc user?
RadoHi Mayank,
Chapter 7, Custom Serialization of Java Value Types, of the Web services developer guide may be a good place to get started.
All the best,
-Eric -
Security exception while running the java client for a secured web service.
hi,
I created a proxy for a secured web service.
When I run the client java program I am getting the following exception :
java.io.IOException: could not load the default-keystore.jks file because The keystore file is tampered or password is incorrect.
Its saying that password is invalid.
Can you please help me on this thanks in advance.
Regards,
Chandrahi,
I created a proxy for a secured web service.
When I run the client java program I am getting the following exception :
java.io.IOException: could not load the default-keystore.jks file because The keystore file is tampered or password is incorrect.
Its saying that password is invalid.
Can you please help me on this thanks in advance.
Regards,
Chandra -
I get a message that itunes has stopped working. When I check out why it is because of the dep security on my computer. When I try to find the program for itunes for the .exe file i cannot find it to turn off the dep for that file
I found the file but when I added it to the list for the Data Execution Program to ignore , I received a message that the Program.x86/itunes file must have the DEP on in order to run. Anyone else having this problem ?
-
How to change path of Users Terminal Services Profile for multiple AD users on server 2003?
Hello experts. I am working on a file server migration. All data has been migrated, I am currently working on redirecting users to the new file server. I
am able to select multiple users at once in ADUC -> right-click -> properties -> profile and here I can change the home folder and roaming profile path for each all users to point towards the new file server.
The issue I have run in to is that we have roaming profiles for terminal services users. So, there are hundreds of users that have their terminal services profile
configured in AD -> Right-click user (one at a time) -> properties -> terminal services profile. Here, the profile path is configured for each user as \\OLDserver\Profiles\%username%
and I need to change it to \\NEWserver\profiles\%username%.
I know that you can configure this path via group policy, I set up a GPO; Computer / Administrative Templates / Windows Components / Terminal Services / “Set Path
for TS Roaming Profiles” as \\NEWserver\profiles and applied this GPO to an OU containing the TS servers.
The problem is, the GPO is not working... When I log in to the TS and add a document to My Documents, it is still saving under \\OLDserver\profiles\Username.
So, the settings in AD are trumping the GPO I believe. What is the best way to accomplish my goal? Thanks in advance!> to change it to \\NEWserver\profiles\%username%.
That is "profile" in opposite to...
> add a document to My Documents, it is still saving under
> \\OLDserver\profiles\Username.
...this one which is Folder Redirection and has NOTHING to do with
server based profiles.
> So, the settings in AD are trumping the GPO I believe.
No, it isn't. When you do not enable FR and you access "Documents", you
will never see an UNC path but the local c:\users\xyz\documents folder.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Upgrade path for Cisco Secure ACS 4.X Solution Engine 1113 Appliance.
Hello,
I am having Cisco Secure ACS 4.X Solution Engine 1113 Appliance, and is running on version Cisco Secure ACS Release 4.1(1) Build 23 and now want to upgarde it to the latest version. Need to know the upgrade path for the same. As per my information ACS 4.1(1) runs on windows server and releases post to 5.X uses Linux. Please guide how can i upgrade Appliance 1113 from 4.1 to 5.xHi,
Cisco ACS 1113 appliance doesn't support ACS 5.x version. 1113 appliance supports till ACS 4.2.1 version.
Cisco ACS SE 1120/1121 appliance models are required for ACS 5.x
The upgrade path for ACS 4.1 to 4.2.1 version can be found in the following link :
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1237189
Regards,
Karthik Chandran
*kindly rate helpful post* -
How to encrpt password for Secure store service while configuring by Windows powershell Script
To configure Secure store service, we have to mention user name and passowrd for generating key.
For this is password we are giving in plain text which is readable and also which is security violation as per company rules.
so i want to encript the password,so that no body can read and it is not against security violation.
so any body can tell me how to encrpt password while configuring secure store service using powershell commandHi,
For your issue, you can encrypt the files using Encrypting File System. By this method, only the user that stores it can access the encrypted passwords.
For more information, you can refer to the thread:
https://social.technet.microsoft.com/Forums/en-US/bae4f78b-e12e-4afe-981f-d93909d33d5a/what-is-the-most-secure-method-to-store-password-in-powershell?forum=winserverpowershell
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Eric Tao
TechNet Community Support -
Hello,
if i define a secure web service, i also have to define one or more users which are allowed to access this web service. I only found instruction for defining such users on the application level. If i undeploy or redeploy the web service i lost this users.
Is there any possibility to store users for an application permanently or to define allowed users during the deployment?Hello,
I suppose that you are in OracleAS 10.1.3.x and you are using the WS-Security built in the product. If this is the case...
The WS-Security handlers are based on the JAAS security model, this means that the security processing is based on the container security. The user credentials are not related to the WS application but how the J2EE application security provider has been configured.
So by default you are using the FileBased Security provided that stores the data in the system-jazn-data.xml, but you can easily configure your application to use any other system to store user information such as a LDAP server for example.
I am inviting you to take a look to the Security Provider documentation:
- Introducing the OracleAS JAAS Provider and Security Providers
Regards
Tugdual Grall -
Landing path for Shared Services
Hi,
Like we will be having a welcome page for Financial Management at below given path ,I would like to figure out the welcome page for the Hyperion Shared Services
C:\Oracle\Middleware\userprojects\epmsystem1\httpConfig\ohs\config\OHS\ohs_component\htdocs\welcome-index.html_
Thanks.Hi Srikanth,
Thanks for your response. I know the export path for the SS. But we are trying to figure out the opening page for Shared Services if I am not using the whole shared services URL along with /interop/.
To be more clear, if I enter http://localhost:*19000/* it will land in the welcome page for work space, provided the localhost being the admin server. and if I use http://HFM_localhost:*80/* it will take me to II7 page, provided the localhost being the HFM server.
Similarly if I try to access http://localhost:*28080/* what should be the page that I should land in? provided the localhost being the admin server.
Currently we are getting 404 Page not found error.
Thanks.
Maybe you are looking for
-
Hi guys, Would like to seek assistance in closing of POs. We have POs that are created years ago and are still open. However we have 2 problemsu2026 [1] Delivery was already made using some of this PO. We cannot tick the "Delivery Complete" [2] There
-
Need to explore on SAP BO 4.1
Hello, I have been released from the Project and free for some days. I need to explore on SAP BO 4.1, Can you please direct me to explore & expert on SAP BO 4.1 ? Do we have any Sample BO VM to practice? your suggestions are most welcome to experty o
-
Security issues for Java server side code
When reading the Oracle 8i documentation regarding using JDBC with Java running within the database, I found that the Oracle- specific call 'defaultConnection()' can be used instead of the standard 'getConnection()'. This appears to be what I want to
-
I am looking for some Plumtree Classes or Interfaces that I can use to enable client browser checking - check to see if the client is using what version of IE or Netscape or Mozilla. We are trying to trap these process and make this a Plumtree UI sol
-
Add project siena app to favorite key on keyboard
Hello and merry Christmas to everybody Have anyone tried to add widows8 app as project sienna into a favourite key on your keyboard? Sorry for asking that here but I haven't found better discussion for windows comfort 5000 keyboards or a solution on