You are viewing limited content. For full access, please sign in.

Question

Question

User Authenticating in Using App Pool Account

Mobile
Updated April 14, 2022
asked on July 16, 2018

We have a client that was using Mobile with users logged in.  We have the Mobile AppPool using a Windows AD account and that account also has a repository user with that same domain tied to it.  I bounced the LF server service and that was the only thing that happened today.  Is it possible that the users in Mobile auto-logged in with the account that runs the mobile AppPool after the restart?  

Those users stated they saw folders they shouldn't have had rights to.  We've checked Audit Trail and don't see any changes to rights or groups.  We did notice that the MachineTag was the same for the AppPool domain account and the real user in the Applcation Name in Audit Trail.

I asked one of the users effected to log out and log back into mobile.  They then had the correct access rights.

 

Seems like a stretch, but we don't have any other explanation.

 

Thanks,

Dylan 

0 0

Answer

SELECTED ANSWER
replied on April 7, 2022

This was eventually identified as a hard-to-reproduce bug in Mobile and web client, and has been fixed. I'm having trouble tracking down the bug, but I believe it has been included in the latest release.

In general, the principle of least privilege says that you want the app pool running as a low-trust account, so not granting it rights to the repository is the right move anyway. I can't think of a good reason for it to run as anything other than the local app pool account.

1 0

Replies

replied on July 16, 2018 Show version history

The account the mobile app pool is running as is not used to create connections to a LFServer/repository. More likely an administrative account was logged in and the apps cached the credentials on the device that resulted in auto-login the next time the apps were launched? To disable caching of the last logged in users' credentials you have to make sure Disable "Remember me" is checked under Repository settings, Authentication.

0 0
replied on July 17, 2018

We had thought that they were logged in with the wrong as well, but they wouldn't know the password to that account and we never logged into that device with that account for any "remember me" functionality. 

This also didn't happen to just one person either,  in the Admin Console I saw 7 different connections.  Attached are two instances from audit trail.  The LF server service was restarted at 9:45am 7/16 which shows up as log offs of the correct users.  Then at 9:47am the "administrative" account was logged in. Then was logged off at 11:52am in mass with the Admin console when users noticed they saw folders they shouldn't have seen.

User2.PNG
User1.PNG
User2.PNG (42.02 KB)
Download
User1.PNG (41.43 KB)
Download
0 0
replied on July 17, 2018

We (tried and) cannot reproduce it just looking at the code so it would be nice if you'd open a support case where we can ask the questions needed to narrow it down. 

0 0
replied on July 19, 2018

Another possible scenario would be if security settings changed earlier. Like if they were added to a Windows or Laserfiche group from where they can inherit elevated rights or privileges and with the Laserfiche server restarted the access tokens were recalculated resulting in different rights.

0 0
replied on April 7, 2022

I hate to raise an old thread from the dead but we are seeing a similar issue with our Web Client.

It sometimes happens if the user doesn't log out of the Web Client properly and just closes the browser. When they open the browser back up they are logged on under a Windows service account which both runs the app pool and was at one time used for Audit Trail. They couldn't access anything because the only feature rights the service account has is to retrieve audit data.

Other users say they are being logged out before hitting the 30 minute timeout limit. When they try to log back on the service account is what shows up in the login box rather than their own account.

I'm going to delete the service account from the repository and see if that clears things up. Will report back with results.



 

0 0
SELECTED ANSWER
replied on April 7, 2022

This was eventually identified as a hard-to-reproduce bug in Mobile and web client, and has been fixed. I'm having trouble tracking down the bug, but I believe it has been included in the latest release.

In general, the principle of least privilege says that you want the app pool running as a low-trust account, so not granting it rights to the repository is the right move anyway. I can't think of a good reason for it to run as anything other than the local app pool account.

1 0
replied on April 14, 2022

This is a system that I inherited so I don't know why the service account is being used to run the app pool. Anyway, I completely removed the service account from the repository and the problem hasn't happened since.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...