Permissions Debugging

Question

Hi - I'm testing how granular we can get with reducing "non-necessary" access rights and would like to know if there are any logs we can check for more info on blocked access?

I have (for example) a situation at the moment where, when trying to reset a users password from the Self-Service reset page, I get access violations when trying to auto-generate the password or view the password policy. There doesn't appear to be any way to determine the exact permission required to grant this access which means it is very hit and miss trying to work out what access needs to be configured!

Rgds

Answer 1

Hello Alistair,

What I can suggest in your case is that you can view, which Security Roles are assigned to a certain user and over which objects, and, also, which Security Roles affect a certain object. So, if you want to track the reason for a certain Access Denied error, you can view, which Security Roles affect the object that you are trying to access and which permissions they grant, and track the Role that grants the necessary acces. Then check, if a specific user is assigned to the necessary Security Role and over that object.

On how to view Security Roles assigned to a user, see Viewing Security Roles assigned to Users or Groups.
On how to view Security Roles that affect an object, see Viewing Security Roles Effective for an Object.

As to the issue with failing to auto-generate the password or view the password policy, this issue occurs because you denied the access for the user to the root domain object (the Domain-DNS object). The object contains information on the password policy that is applied to a user, and since the user has no access to the root domain object, he can neither view the policy applied to his account nor get the settings of the policy relating to password complexity, minimum length etc that should be taken into account when generating a new password.

Comments

Hi,

Sorry for the delay in replying.

On the specific question - as a self-service user I can see password policy/generate a password from the 'Forgot Password' link from a logged on PC, but not from the Logon/Locked screen. I assume a specific role has to be assigned to a non-authenticated user and/or the adaxes service account?

I have all the security set at 'factory default' - I've done quite a bit of testing so some other settings may have changed, but the security roles are def. default.

Note: I have also tried adding 'Read Domain Password & Lockout Policies' to roles, but I'm not under what user context the reset 'function' is operating.

Thanks

---

Hello,

You don't have to grant any special permissions in this case, because as soon as a user passes the verification step, he is automatically granted the permission to view his password policy and generate password for himself.

We'll try to reproduce the issue in our environment. What version of Adaxes are you running? Also, what Windows version is running on the computer that you tried the Self-Password Reset functionality from? What is the version of Internet Explorer installed on that computer?

---

Thanks.

I'm running everything on a virtual server:-

Windows 2008R2 (operating as a DC and running Adaxes)
IE9
Adaxes 3.3.8906

Rgds

---

Hello,

Just to make sure, you tried to reset a password from the Windows logon screen of the same computer that your Adaxes service is installed on, am I right?

---

Yes, everything is running on the same virtual test server, including the user desktop session.

If that's the cause, no problem as it wouldn't be a common scenario at all in real-life!

---

Hello,

The fact that you installed everything on the same computer isn't the issue.

Actually, the reason for such behavior is a bug in Adaxes. Thank you for the bugreport. We will fix it in the nearest release (Adaxes 2013.1).

---

Thanks - glad I'm not going mad!

Out of interest, when is 2013.1 due for release, and do you have a list of enhancements due?

Rgds

---

The release is scheduled for February. Here's the list of new features planned for the release:

• Exchange mailbox management enhancements
• Exchange 2013 support
• Windows Server 2012 and Windows 8 support
• Automation capabilities enhancements (Business Rules, Custom Commands and Scheduled Tasks)

---

On the specific question - as a self-service user I can see password policy/generate a password from the 'Forgot Password' link from a logged on PC, but not from the Logon/Locked screen. I assume a specific role has to be assigned to a non-authenticated user and/or the adaxes service account?

After investigating the issue, we managed to find out the root cause of the issue. The thing is that Internet Explorer does not send cookies from the logon screen on Windows Server operating system families. To workaround the issue, you need to enable Internet Explorer to send cookies. To do this:

1. On the computer where you want to use Adaxes Self-Service Client, press Win+R and type Gpedit.msc.
2. Under Local Computer Policy, navigate to User configuration \ Windows Settings \ Internet Explorer Maintenance \ Security \ Security Zones and Content Ratings.
   
3. In the Select Security Zones and Privacy section, switch the radio button to Import the current security zones and privacy settings.