Topics

Connecting shares automatically

Rob Westland
 

Hi,

How are you automatically connecting to UNC path which are password protected?

There must exist a share between a Magic server and a Webserver. The Magic engine tries to write this file to the share: Start_N_0MP_$$$_$_$_0_04600__0bad954cf6feda90f642c6765dcabd53648446a74609d3ec540074ac.xml. Also other files, but this an example.

We have a webserver with a password protected share. And a Magic server running the Magic engine, but the engine is of course started from a service. No one logs in on the server, so the share must already be connected on startup of the server.

I have stored the credentials of the share in the Windows Credentials Manager of the Magicserver.

I tried it with a scheduled task and with a GPO: Computer Configuration\Windows Settings\Scripts\Startup

But the batch file does not run

The batchfile contains:

net use \\web-01\MagicWebCCache
fsutil file createnew c:\tmp\started 10

The second line is just to check if the script has run

When I login and go to the share, it is immediately connected, I don't have to enter my credentials.

Does anyone have a clue?


Rob

 

NET USE /?

The syntax of this command is:

NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[/USER:[dotted domain name\]username]
[/USER:[username@dotted domain name]
[/SMARTCARD]
[/SAVECRED]
[/REQUIREINTEGRITY]
[/REQUIREPRIVACY]
[/WRITETHROUGH]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]

NET USE {devicename | *} [password | *] /HOME

NET USE [/PERSISTENT:{YES | NO}]

Steven Blank
 

Rob,

My guess is that the service is configured to log on as the Local System Account, in which case, it (the service) is an anonymous guest and, as such, possesses no rights at all on the network.

If this is the case, then I suggest you modify the service to log on with a specific, ad hoc, domain user account.

EXAMPLE:

HTH – Steve Blank

On 3/16/2020 10:38 AM, Rob Westland wrote:

Hi,

How are you automatically connecting to UNC path which are password protected?

There must exist a share between a Magic server and a Webserver. The Magic engine tries to write this file to the share: Start_N_0MP_$$$_$_$_0_04600__0bad954cf6feda90f642c6765dcabd53648446a74609d3ec540074ac.xml. Also other files, but this an example.

We have a webserver with a password protected share. And a Magic server running the Magic engine, but the engine is of course started from a service. No one logs in on the server, so the share must already be connected on startup of the server.

I have stored the credentials of the share in the Windows Credentials Manager of the Magicserver.

I tried it with a scheduled task and with a GPO: Computer Configuration\Windows Settings\Scripts\Startup

But the batch file does not run

The batchfile contains:

net use \\web-01\MagicWebCCache
fsutil file createnew c:\tmp\started 10

The second line is just to check if the script has run

When I login and go to the share, it is immediately connected, I don't have to enter my credentials.

Does anyone have a clue?


Rob

Rob Westland
 

Hi Steve,

The problem is not the Broker running under a wrong account.

The problem is the script which has to be executed. That script is or run by the Scheduler or through a GPO. But in both caes it's not executed.

Or am I on the wrong way?

The problem is that the Magic engine wants to create some temp files which must be available for the webserver.


Rob

Op 16-3-2020 om 20:55 schreef Steven Blank:

Rob,

My guess is that the service is configured to log on as the Local System Account, in which case, it (the service) is an anonymous guest and, as such, possesses no rights at all on the network.

If this is the case, then I suggest you modify the service to log on with a specific, ad hoc, domain user account.

EXAMPLE:

HTH – Steve Blank

On 3/16/2020 10:38 AM, Rob Westland wrote:

Hi,

How are you automatically connecting to UNC path which are password protected?

There must exist a share between a Magic server and a Webserver. The Magic engine tries to write this file to the share: Start_N_0MP_$$$_$_$_0_04600__0bad954cf6feda90f642c6765dcabd53648446a74609d3ec540074ac.xml. Also other files, but this an example.

We have a webserver with a password protected share. And a Magic server running the Magic engine, but the engine is of course started from a service. No one logs in on the server, so the share must already be connected on startup of the server.

I have stored the credentials of the share in the Windows Credentials Manager of the Magicserver.

I tried it with a scheduled task and with a GPO: Computer Configuration\Windows Settings\Scripts\Startup

But the batch file does not run

The batchfile contains:

net use \\web-01\MagicWebCCache
fsutil file createnew c:\tmp\started 10

The second line is just to check if the script has run

When I login and go to the share, it is immediately connected, I don't have to enter my credentials.

Does anyone have a clue?


Rob

Steven Blank
 

Rob,

If the Magic runtime engine is spawned by the broker, then the Magic runtime engine is running under the broker's credentials.

If the broker is configured to log on as the Local System Account, then it, and by extension, the Magic runtime engine, will possess no credentials on the network.

If the Magic runtime engine is running on computer A, and the temp files folder is located on computer B, then the Magic BROKER must have network credentials.

Just try it.

You can always change it back if it doesn't help.

Steve Blank

On 3/16/2020 1:01 PM, Rob Westland wrote:

Hi Steve,

The problem is not the Broker running under a wrong account.

The problem is the script which has to be executed. That script is or run by the Scheduler or through a GPO. But in both caes it's not executed.

Or am I on the wrong way?

The problem is that the Magic engine wants to create some temp files which must be available for the webserver.


Rob

Op 16-3-2020 om 20:55 schreef Steven Blank:

Rob,

My guess is that the service is configured to log on as the Local System Account, in which case, it (the service) is an anonymous guest and, as such, possesses no rights at all on the network.

If this is the case, then I suggest you modify the service to log on with a specific, ad hoc, domain user account.

EXAMPLE:

HTH – Steve Blank

On 3/16/2020 10:38 AM, Rob Westland wrote:

Hi,

How are you automatically connecting to UNC path which are password protected?

There must exist a share between a Magic server and a Webserver. The Magic engine tries to write this file to the share: Start_N_0MP_$$$_$_$_0_04600__0bad954cf6feda90f642c6765dcabd53648446a74609d3ec540074ac.xml. Also other files, but this an example.

We have a webserver with a password protected share. And a Magic server running the Magic engine, but the engine is of course started from a service. No one logs in on the server, so the share must already be connected on startup of the server.

I have stored the credentials of the share in the Windows Credentials Manager of the Magicserver.

I tried it with a scheduled task and with a GPO: Computer Configuration\Windows Settings\Scripts\Startup

But the batch file does not run

The batchfile contains:

net use \\web-01\MagicWebCCache
fsutil file createnew c:\tmp\started 10

The second line is just to check if the script has run

When I login and go to the share, it is immediately connected, I don't have to enter my credentials.

Does anyone have a clue?


Rob

Rob Westland
 

The broker already runs under an AD-account. Because it must have access to the fileserver.

The webserver is in a DMZ, so the weberserver does not have access to the AD. On the webserver I created a share with a local user which only exist on the webserver. The Magicserver must access that share with that account.


Rob

Op 16-3-2020 om 21:08 schreef Steven Blank:

Rob,

If the Magic runtime engine is spawned by the broker, then the Magic runtime engine is running under the broker's credentials.

If the broker is configured to log on as the Local System Account, then it, and by extension, the Magic runtime engine, will possess no credentials on the network.

If the Magic runtime engine is running on computer A, and the temp files folder is located on computer B, then the Magic BROKER must have network credentials.

Just try it.

You can always change it back if it doesn't help.

Steve Blank

On 3/16/2020 1:01 PM, Rob Westland wrote:

Hi Steve,

The problem is not the Broker running under a wrong account.

The problem is the script which has to be executed. That script is or run by the Scheduler or through a GPO. But in both caes it's not executed.

Or am I on the wrong way?

The problem is that the Magic engine wants to create some temp files which must be available for the webserver.


Rob

Op 16-3-2020 om 20:55 schreef Steven Blank:

Rob,

My guess is that the service is configured to log on as the Local System Account, in which case, it (the service) is an anonymous guest and, as such, possesses no rights at all on the network.

If this is the case, then I suggest you modify the service to log on with a specific, ad hoc, domain user account.

EXAMPLE:

HTH – Steve Blank

On 3/16/2020 10:38 AM, Rob Westland wrote:

Hi,

How are you automatically connecting to UNC path which are password protected?

There must exist a share between a Magic server and a Webserver. The Magic engine tries to write this file to the share: Start_N_0MP_$$$_$_$_0_04600__0bad954cf6feda90f642c6765dcabd53648446a74609d3ec540074ac.xml. Also other files, but this an example.

We have a webserver with a password protected share. And a Magic server running the Magic engine, but the engine is of course started from a service. No one logs in on the server, so the share must already be connected on startup of the server.

I have stored the credentials of the share in the Windows Credentials Manager of the Magicserver.

I tried it with a scheduled task and with a GPO: Computer Configuration\Windows Settings\Scripts\Startup

But the batch file does not run

The batchfile contains:

net use \\web-01\MagicWebCCache
fsutil file createnew c:\tmp\started 10

The second line is just to check if the script has run

When I login and go to the share, it is immediately connected, I don't have to enter my credentials.

Does anyone have a clue?


Rob

Steven Blank
 

The devil is always in the details, eh?

Steve

On 3/16/2020 1:19 PM, Rob Westland wrote:

The broker already runs under an AD-account. Because it must have access to the fileserver.

The webserver is in a DMZ, so the weberserver does not have access to the AD. On the webserver I created a share with a local user which only exist on the webserver. The Magicserver must access that share with that account.


Rob

Op 16-3-2020 om 21:08 schreef Steven Blank:

Rob,

If the Magic runtime engine is spawned by the broker, then the Magic runtime engine is running under the broker's credentials.

If the broker is configured to log on as the Local System Account, then it, and by extension, the Magic runtime engine, will possess no credentials on the network.

If the Magic runtime engine is running on computer A, and the temp files folder is located on computer B, then the Magic BROKER must have network credentials.

Just try it.

You can always change it back if it doesn't help.

Steve Blank

On 3/16/2020 1:01 PM, Rob Westland wrote:

Hi Steve,

The problem is not the Broker running under a wrong account.

The problem is the script which has to be executed. That script is or run by the Scheduler or through a GPO. But in both caes it's not executed.

Or am I on the wrong way?

The problem is that the Magic engine wants to create some temp files which must be available for the webserver.


Rob

Op 16-3-2020 om 20:55 schreef Steven Blank:

Rob,

My guess is that the service is configured to log on as the Local System Account, in which case, it (the service) is an anonymous guest and, as such, possesses no rights at all on the network.

If this is the case, then I suggest you modify the service to log on with a specific, ad hoc, domain user account.

EXAMPLE:

HTH – Steve Blank

On 3/16/2020 10:38 AM, Rob Westland wrote:

Hi,

How are you automatically connecting to UNC path which are password protected?

There must exist a share between a Magic server and a Webserver. The Magic engine tries to write this file to the share: Start_N_0MP_$$$_$_$_0_04600__0bad954cf6feda90f642c6765dcabd53648446a74609d3ec540074ac.xml. Also other files, but this an example.

We have a webserver with a password protected share. And a Magic server running the Magic engine, but the engine is of course started from a service. No one logs in on the server, so the share must already be connected on startup of the server.

I have stored the credentials of the share in the Windows Credentials Manager of the Magicserver.

I tried it with a scheduled task and with a GPO: Computer Configuration\Windows Settings\Scripts\Startup

But the batch file does not run

The batchfile contains:

net use \\web-01\MagicWebCCache
fsutil file createnew c:\tmp\started 10

The second line is just to check if the script has run

When I login and go to the share, it is immediately connected, I don't have to enter my credentials.

Does anyone have a clue?


Rob

Thomas Titus
 

Hi Rob,
I am also in the process of setting up DMZ IIS. Our infra structure team is struggling with a third party vendor to complete the setup.

Are you setting up a remote Unipass Broker, away from the DMZ IIS server?

Do you have an ARR Server (Application Request Routing) to host your file share?

Are you setting up multiple IIS to do load balancing?

I know, I asked a lot of questions, but I am very curios to know your efforts and progress.

Thanks

Thomas Titus

 

 

 

Are

 

 

Some more details:

  • First delete the connection
C:\Users\Luuk>net use r: /d
r: was deleted successfully.
 
  • Create the connection, if a password is asked, enter it:
C:\Users\Luuk>net use r: \\SERVER\SHARE
The command completed successfully.
 
  • Use WMIC to see the username that was used for this connection:
C:\Users\Luuk>wmic netuse where LocalName="r:" get UserName /value
 
 
UserName=DOMAIN\USERNAME
 
 
 
  • Delete the connection again:
C:\Users\Luuk>net use r: /d
r: was deleted successfully.
 
  • Create connection by specifying PASSWORD and DOMAIN\USERNAME from previous steps:
C:\Users\Luuk>net use r: \\SERVER\SHARE PASSWORD /user:DOMAIN\USERNAME
The command completed successfully.
 
 
C:\Users\Luuk>

Rob Westland
 

Hi Luuk,

the problem is not the command (net use) itself. The command must be executed on startup of the server in background, without any user logged in.




Op 17-3-2020 om 08:31 schreef Luuk:

Some more details:

  • First delete the connection
C:\Users\Luuk>net use r: /d
r: was deleted successfully.
 
  • Create the connection, if a password is asked, enter it:
C:\Users\Luuk>net use r: \\SERVER\SHARE
The command completed successfully.
 
  • Use WMIC to see the username that was used for this connection:
C:\Users\Luuk>wmic netuse where LocalName="r:" get UserName /value
 
 
UserName=DOMAIN\USERNAME
 
 
 
  • Delete the connection again:
C:\Users\Luuk>net use r: /d
r: was deleted successfully.
 
  • Create connection by specifying PASSWORD and DOMAIN\USERNAME from previous steps:
C:\Users\Luuk>net use r: \\SERVER\SHARE PASSWORD /user:DOMAIN\USERNAME
The command completed successfully.
 
 
C:\Users\Luuk>

Rob Westland
 

Hi Thomas,

Op 17-3-2020 om 04:13 schreef Thomas Titus via Groups.Io:
Are you setting up a remote Unipass Broker, away from the DMZ IIS server?
We have a webserver running in DMZ with Apache

And a Magicserver in AD running the Magic broker and the Magic engines

Do you have an ARR Server (Application Request Routing) to host your file share?
The fileserver is a regular server with a share

Are you setting up multiple IIS to do load balancing?
No. I think that the webserver isn't getting very much to do. I think that the only reason for multiple IIS is for fault tolerance.

Hans Brussaard
 

Hi Rob,

Have you tried executing the net use command from within Magic using Invoke OS?

Hans

Rob Westland
 

Hi Hans,

I just solved it.

I changed the user of the Broker to myself and then Magic can write to the share. Apparantly the other useraccount doens't have access on the Magic server to execute/open the share.

Now I only have to find out why that user doesn't have the rights.

Thanks,

Rob

Op 17-3-2020 om 14:55 schreef Hans Brussaard:

Hi Rob,

Have you tried executing the net use command from within Magic using Invoke OS?

Hans



Thomas Titus
 

Thanks Rob for the update.

Thomas Titus