| Author |
Message |
Jon Suyo
Guest
|
 Posted:
Fri Jun 18, 2004 11:50 pm Post subject:
Securing the media server |
|
|
OK - 3 seperate questions based upon the following setup.
A windows 2003 enterprise server running only winmed services. I plan to have on-demand content and live webcasts that should be accessible to the world. The server sits on its on workgroup and the winmed encoder (just for the live webcasts) sits on a corporate domain. The encoder and the server have no rights in each others domain/workgroups:
1) Is there a benefit to using the built in account "Network Service" as opposed to an account I create?
2) I use an account on the server that I created and use that account for anonymous authentication. That account has Read-Only rights on the publishing point's source directory. I then use the NTFS ACL authorization plug-in. Is that as secure as I can get it? (can't use WMS Negotiate Authentication since these feeds need to be access by anyone - anywhere).
3) We'd like to push a webcast so that the encoder controls the feed/stream. Since the encoder sits on one domain and the server on a totally unrelated workgroup, how do I allow the encoder to connect and push the feed? I only get access denied. The WMS Publishing Points ACL is configured, but I never get prompted for a user/pass
Thanks in advance for your time & help.
|
|
| Back to top |
|
 |
Ravi Raman
Guest
|
| Posted:
Sun Jun 20, 2004 12:42 am Post subject:
Securing the media server |
|
|
1. Mostly that all the resources that WMServer uses has
the appropriate ACLs to permit NetworkService. And in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in the
domain which can be useful in some cases. You can change
it to an account of your liking, but you will need to fix
all the ACLs so that this account has read access ( say
to registry keys, files etc.). Network Service account
has fairly low privileges compared to Administrator or
Power User account, so I don't see a reason why you want
to create a custom account.
2. I am not sure what other kind of security you are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you push
anonymous authentication is tried. The publishing points
ACL plug-in allows "Write/create" access only to Admin
users. So, since anonymous users are not allowed, access
is denied. The server would then attempt to use negotiate
to authenticate you after that. If you give the admin
password of the server machine with Negotiate, that
should enable you to push (Alternatively, if you don't
want to use Admin account you can create a new push
account, give that account create/write acces on "WMS
PUblishing Points ACL Authorization" and then provide
this account credentials when prompted on the encoder).
Hope this helps.
Ravi
-
This posting is provided "AS IS" with no warranties, and
confers no rights.
| Quote: | -----Original Message-----
OK - 3 seperate questions based upon the following setup.
A windows 2003 enterprise server running only winmed
services. I plan to have on-demand content and live |
webcasts that should be accessible to the world. The
server sits on its on workgroup and the winmed encoder
(just for the live webcasts) sits on a corporate domain.
The encoder and the server have no rights in each others
domain/workgroups:
| Quote: |
1) Is there a benefit to using the built in
account "Network Service" as opposed to an account I |
create?
| Quote: | 2) I use an account on the server that I created and use
that account for anonymous authentication. That account |
has Read-Only rights on the publishing point's source
directory. I then use the NTFS ACL authorization plug-
in. Is that as secure as I can get it? (can't use WMS
Negotiate Authentication since these feeds need to be
access by anyone - anywhere).
| Quote: | 3) We'd like to push a webcast so that the encoder
controls the feed/stream. Since the encoder sits on one |
domain and the server on a totally unrelated workgroup,
how do I allow the encoder to connect and push the feed?
I only get access denied. The WMS Publishing Points ACL
is configured, but I never get prompted for a user/pass
| Quote: |
Thanks in advance for your time & help.
.
|
|
|
| Back to top |
|
|
jsuyo
Guest
|
| Posted:
Sun Jun 20, 2004 12:33 pm Post subject:
RE: Securing the media server |
|
|
1. OK - i guess i'll switch back to NetworkService
2. I am simply trying to lock down the server as much as possible. I assumed that If I used anon authentication and give only READ rights to that account, i'd be as secure as it gets.
3. By using WMS Negotiate, wouldn't clients also get prompted to authenticate?
I don't want unauthorized users to be able to create a broadcast (obviously) but at the same time, I want any user to be able to view the broadcast.
PS
Thank you for responding!
"Ravi Raman" wrote:
| Quote: | 1. Mostly that all the resources that WMServer uses has
the appropriate ACLs to permit NetworkService. And in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in the
domain which can be useful in some cases. You can change
it to an account of your liking, but you will need to fix
all the ACLs so that this account has read access ( say
to registry keys, files etc.). Network Service account
has fairly low privileges compared to Administrator or
Power User account, so I don't see a reason why you want
to create a custom account.
2. I am not sure what other kind of security you are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you push
anonymous authentication is tried. The publishing points
ACL plug-in allows "Write/create" access only to Admin
users. So, since anonymous users are not allowed, access
is denied. The server would then attempt to use negotiate
to authenticate you after that. If you give the admin
password of the server machine with Negotiate, that
should enable you to push (Alternatively, if you don't
want to use Admin account you can create a new push
account, give that account create/write acces on "WMS
PUblishing Points ACL Authorization" and then provide
this account credentials when prompted on the encoder).
Hope this helps.
Ravi
-
This posting is provided "AS IS" with no warranties, and
confers no rights.
-----Original Message-----
OK - 3 seperate questions based upon the following setup.
A windows 2003 enterprise server running only winmed
services. I plan to have on-demand content and live
webcasts that should be accessible to the world. The
server sits on its on workgroup and the winmed encoder
(just for the live webcasts) sits on a corporate domain.
The encoder and the server have no rights in each others
domain/workgroups:
1) Is there a benefit to using the built in
account "Network Service" as opposed to an account I
create?
2) I use an account on the server that I created and use
that account for anonymous authentication. That account
has Read-Only rights on the publishing point's source
directory. I then use the NTFS ACL authorization plug-
in. Is that as secure as I can get it? (can't use WMS
Negotiate Authentication since these feeds need to be
access by anyone - anywhere).
3) We'd like to push a webcast so that the encoder
controls the feed/stream. Since the encoder sits on one
domain and the server on a totally unrelated workgroup,
how do I allow the encoder to connect and push the feed?
I only get access denied. The WMS Publishing Points ACL
is configured, but I never get prompted for a user/pass
Thanks in advance for your time & help.
.
|
|
|
| Back to top |
|
|
Ravi Raman
Guest
|
| Posted:
Mon Jun 21, 2004 8:39 pm Post subject:
RE: Securing the media server |
|
|
I am not sure about your issue#2, but I believe your issue
#1 can be resolved:
0. Create your livefeed publishing point and enable PP ACL
on it.
1. Create a user called "PushAdmin". Add this user to the
Server level with Write access and at publishing point
level PP ACL (i.e, on livefeed publishing point) with
Write+Create Access.
2. Create a user called "PushRead". Give this user Read
access on the your "Livefeed" publishing point. also, at
the "Server" level, add "Pushread" user to the PP ACL List
with only read access. [You probably missed the latter
part]
3. Enable Anonymous User authentication on the Livefeed
publishing point with the username as "PushRead".
Now the scenario should work. Authorization plug-ins
are "must pass" at both levels. So if you have PP ACL Plug-
in enabled at server level and publishing point level,
then your user must have Read access at both levels to be
permitted to stream from the server. Similarly, the user
must have "Write" access at both level to push onto a
publishing point.
However, for authentication settings, if a publishing
point level authentication point plug-in is enabled, it
over rides server level setting. If no publishing point
level authentication plug-in is enabled, server level
settings are applied.
Hope this helps.
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
| Quote: | -----Original Message-----
In regards to number 3:
I was able to start a push broadcast but ran into 2
seperate problems:
The bigger problem was that while I was prompted for
credentials to create the stream (due to WMS Negotiate - |
which is was I want), I was unable to play the stream as a
general user. I need to have the security of Publishing
Points ACL for creation, but the 'ease' of anonymous
authentication for playback.
| Quote: | The only way around this was for me to use the same user
that has permissions under Publishing Points ACL as the |
user in Anonymous User Authentication. But to get that to
work, I needed to disable WMS Negotiate. It appears like
I get either security or ease. I'd like to get both
(prompt for user/pass when creating a PUSH feed and at the
same time allow any user to connect and view it without
getting prompted)
| Quote: |
The second issue is that when I tell the encoder to copy
the settings of the publishing point that I set up for |
Encoder Push (the same publishing point that I got to work
above), it doesn't see to copy the anonymous user that is
used.
| Quote: |
As I mentioned earlier in question 2 - I have set the
NTFS ACLS for my On Demand playback directory to allow |
ONLY read access to user 'ondemand'. I then set Anonymous
User Authentication and supply the credentials for
user 'ondemand'.
| Quote: | I created a user called 'livefeed' and granted it rights
under Publishing Points ACL to create the a new publishing |
point. I'd like to end up using that same user for
Anonymous User authentication (like I did above) but when
I copy the settings from my working (PUSH) publishing
point, it sets the user 'ondemand' as the anon user rather
than the 'livefeed' user. I disabled the global Anonymous
User authentication plugin, so I don't know where/why it
keeps picking up the 'ondemand' user.
| Quote: |
"Ravi Raman" wrote:
1. Mostly that all the resources that WMServer uses has
the appropriate ACLs to permit NetworkService. And in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in the
domain which can be useful in some cases. You can
change
it to an account of your liking, but you will need to
fix
all the ACLs so that this account has read access ( say
to registry keys, files etc.). Network Service account
has fairly low privileges compared to Administrator or
Power User account, so I don't see a reason why you
want
to create a custom account.
2. I am not sure what other kind of security you are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you push
anonymous authentication is tried. The publishing
points
ACL plug-in allows "Write/create" access only to Admin
users. So, since anonymous users are not allowed,
access
is denied. The server would then attempt to use
negotiate
to authenticate you after that. If you give the admin
password of the server machine with Negotiate, that
should enable you to push (Alternatively, if you don't
want to use Admin account you can create a new push
account, give that account create/write acces on "WMS
PUblishing Points ACL Authorization" and then provide
this account credentials when prompted on the encoder).
Hope this helps.
Ravi
-
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
OK - 3 seperate questions based upon the following
setup.
A windows 2003 enterprise server running only winmed
services. I plan to have on-demand content and live
webcasts that should be accessible to the world. The
server sits on its on workgroup and the winmed encoder
(just for the live webcasts) sits on a corporate
domain.
The encoder and the server have no rights in each
others
domain/workgroups:
1) Is there a benefit to using the built in
account "Network Service" as opposed to an account I
create?
2) I use an account on the server that I created and
use
that account for anonymous authentication. That
account
has Read-Only rights on the publishing point's source
directory. I then use the NTFS ACL authorization plug-
in. Is that as secure as I can get it? (can't use WMS
Negotiate Authentication since these feeds need to be
access by anyone - anywhere).
3) We'd like to push a webcast so that the encoder
controls the feed/stream. Since the encoder sits on
one
domain and the server on a totally unrelated workgroup,
how do I allow the encoder to connect and push the
feed?
I only get access denied. The WMS Publishing Points
ACL
is configured, but I never get prompted for a user/pass
Thanks in advance for your time & help.
.
.
|
|
|
| Back to top |
|
|
Jon Suyo
Guest
|
| Posted:
Tue Jun 22, 2004 1:58 am Post subject:
RE: Securing the media server |
|
|
ARGH!!
I finally had time to try this out and i'm running into the same problem as before. I have the 2 accounts Push/Play and each have their rights. However, I am still getting prompted at all times for a user/pass. If I disable Negotiate, then I can't create the publishing point. If I leave it enabled, EVERY user connecting gets prompted for a user/pass - which is unaccectable. It seems that Anonymous User authentication isn't kicking in at all.
Harumph!
"Jon Suyo" wrote:
| Quote: | As usual - the answer was staring me right in the face. Ravi - Thank you so much, you were very helpful.
"Ravi Raman" wrote:
I am not sure about your issue#2, but I believe your issue
#1 can be resolved:
0. Create your livefeed publishing point and enable PP ACL
on it.
1. Create a user called "PushAdmin". Add this user to the
Server level with Write access and at publishing point
level PP ACL (i.e, on livefeed publishing point) with
Write+Create Access.
2. Create a user called "PushRead". Give this user Read
access on the your "Livefeed" publishing point. also, at
the "Server" level, add "Pushread" user to the PP ACL List
with only read access. [You probably missed the latter
part]
3. Enable Anonymous User authentication on the Livefeed
publishing point with the username as "PushRead".
Now the scenario should work. Authorization plug-ins
are "must pass" at both levels. So if you have PP ACL Plug-
in enabled at server level and publishing point level,
then your user must have Read access at both levels to be
permitted to stream from the server. Similarly, the user
must have "Write" access at both level to push onto a
publishing point.
However, for authentication settings, if a publishing
point level authentication point plug-in is enabled, it
over rides server level setting. If no publishing point
level authentication plug-in is enabled, server level
settings are applied.
Hope this helps.
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
-----Original Message-----
In regards to number 3:
I was able to start a push broadcast but ran into 2
seperate problems:
The bigger problem was that while I was prompted for
credentials to create the stream (due to WMS Negotiate -
which is was I want), I was unable to play the stream as a
general user. I need to have the security of Publishing
Points ACL for creation, but the 'ease' of anonymous
authentication for playback.
The only way around this was for me to use the same user
that has permissions under Publishing Points ACL as the
user in Anonymous User Authentication. But to get that to
work, I needed to disable WMS Negotiate. It appears like
I get either security or ease. I'd like to get both
(prompt for user/pass when creating a PUSH feed and at the
same time allow any user to connect and view it without
getting prompted)
The second issue is that when I tell the encoder to copy
the settings of the publishing point that I set up for
Encoder Push (the same publishing point that I got to work
above), it doesn't see to copy the anonymous user that is
used.
As I mentioned earlier in question 2 - I have set the
NTFS ACLS for my On Demand playback directory to allow
ONLY read access to user 'ondemand'. I then set Anonymous
User Authentication and supply the credentials for
user 'ondemand'.
I created a user called 'livefeed' and granted it rights
under Publishing Points ACL to create the a new publishing
point. I'd like to end up using that same user for
Anonymous User authentication (like I did above) but when
I copy the settings from my working (PUSH) publishing
point, it sets the user 'ondemand' as the anon user rather
than the 'livefeed' user. I disabled the global Anonymous
User authentication plugin, so I don't know where/why it
keeps picking up the 'ondemand' user.
"Ravi Raman" wrote:
1. Mostly that all the resources that WMServer uses has
the appropriate ACLs to permit NetworkService. And in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in the
domain which can be useful in some cases. You can
change
it to an account of your liking, but you will need to
fix
all the ACLs so that this account has read access ( say
to registry keys, files etc.). Network Service account
has fairly low privileges compared to Administrator or
Power User account, so I don't see a reason why you
want
to create a custom account.
2. I am not sure what other kind of security you are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you push
anonymous authentication is tried. The publishing
points
ACL plug-in allows "Write/create" access only to Admin
users. So, since anonymous users are not allowed,
access
is denied. The server would then attempt to use
negotiate
to authenticate you after that. If you give the admin
password of the server machine with Negotiate, that
should enable you to push (Alternatively, if you don't
want to use Admin account you can create a new push
account, give that account create/write acces on "WMS
PUblishing Points ACL Authorization" and then provide
this account credentials when prompted on the encoder).
Hope this helps.
Ravi
-
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
OK - 3 seperate questions based upon the following
setup.
A windows 2003 enterprise server running only winmed
services. I plan to have on-demand content and live
webcasts that should be accessible to the world. The
server sits on its on workgroup and the winmed encoder
(just for the live webcasts) sits on a corporate
domain.
The encoder and the server have no rights in each
others
domain/workgroups:
1) Is there a benefit to using the built in
account "Network Service" as opposed to an account I
create?
2) I use an account on the server that I created and
use
that account for anonymous authentication. That
account
has Read-Only rights on the publishing point's source
directory. I then use the NTFS ACL authorization plug-
in. Is that as secure as I can get it? (can't use WMS
Negotiate Authentication since these feeds need to be
access by anyone - anywhere).
3) We'd like to push a webcast so that the encoder
controls the feed/stream. Since the encoder sits on
one
domain and the server on a totally unrelated workgroup,
how do I allow the encoder to connect and push the
feed?
I only get access denied. The WMS Publishing Points
ACL
is configured, but I never get prompted for a user/pass
Thanks in advance for your time & help.
.
.
|
|
|
| Back to top |
|
|
Ravi Raman
Guest
|
| Posted:
Tue Jun 22, 2004 4:31 am Post subject:
RE: Securing the media server |
|
|
The steps I suggested work with a publishing point that
already exists, seems like you are creating a new
publishing point. (I presumed the LIvefeed pubpt. was
precreated in the steps I mention below).
Before you try anything different, can you clarify whether
you are creating a new publishing point with push or
trying to use an existing publishing point?
Also, are you trying the "Copy settings" option at all or
not?
Thx,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
| Quote: | -----Original Message-----
ARGH!!
I finally had time to try this out and i'm running into
the same problem as before. I have the 2 accounts |
Push/Play and each have their rights. However, I am still
getting prompted at all times for a user/pass. If I
disable Negotiate, then I can't create the publishing
point. If I leave it enabled, EVERY user connecting gets
prompted for a user/pass - which is unaccectable. It
seems that Anonymous User authentication isn't kicking in
at all.
| Quote: | Harumph!
"Jon Suyo" wrote:
As usual - the answer was staring me right in the
face. Ravi - Thank you so much, you were very helpful.
"Ravi Raman" wrote:
I am not sure about your issue#2, but I believe your
issue
#1 can be resolved:
0. Create your livefeed publishing point and enable
PP ACL
on it.
1. Create a user called "PushAdmin". Add this user to
the
Server level with Write access and at publishing
point
level PP ACL (i.e, on livefeed publishing point) with
Write+Create Access.
2. Create a user called "PushRead". Give this user
Read
access on the your "Livefeed" publishing point. also,
at
the "Server" level, add "Pushread" user to the PP ACL
List
with only read access. [You probably missed the
latter
part]
3. Enable Anonymous User authentication on the
Livefeed
publishing point with the username as "PushRead".
Now the scenario should work. Authorization plug-ins
are "must pass" at both levels. So if you have PP ACL
Plug-
in enabled at server level and publishing point
level,
then your user must have Read access at both levels
to be
permitted to stream from the server. Similarly, the
user
must have "Write" access at both level to push onto a
publishing point.
However, for authentication settings, if a publishing
point level authentication point plug-in is enabled,
it
over rides server level setting. If no publishing
point
level authentication plug-in is enabled, server level
settings are applied.
Hope this helps.
Ravi
--
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
In regards to number 3:
I was able to start a push broadcast but ran into 2
seperate problems:
The bigger problem was that while I was prompted for
credentials to create the stream (due to WMS
Negotiate -
which is was I want), I was unable to play the stream
as a
general user. I need to have the security of
Publishing
Points ACL for creation, but the 'ease' of anonymous
authentication for playback.
The only way around this was for me to use the same
user
that has permissions under Publishing Points ACL as
the
user in Anonymous User Authentication. But to get
that to
work, I needed to disable WMS Negotiate. It appears
like
I get either security or ease. I'd like to get both
(prompt for user/pass when creating a PUSH feed and
at the
same time allow any user to connect and view it
without
getting prompted)
The second issue is that when I tell the encoder to
copy
the settings of the publishing point that I set up
for
Encoder Push (the same publishing point that I got to
work
above), it doesn't see to copy the anonymous user
that is
used.
As I mentioned earlier in question 2 - I have set
the
NTFS ACLS for my On Demand playback directory to
allow
ONLY read access to user 'ondemand'. I then set
Anonymous
User Authentication and supply the credentials for
user 'ondemand'.
I created a user called 'livefeed' and granted it
rights
under Publishing Points ACL to create the a new
publishing
point. I'd like to end up using that same user for
Anonymous User authentication (like I did above) but
when
I copy the settings from my working (PUSH) publishing
point, it sets the user 'ondemand' as the anon user
rather
than the 'livefeed' user. I disabled the global
Anonymous
User authentication plugin, so I don't know where/why
it
keeps picking up the 'ondemand' user.
"Ravi Raman" wrote:
1. Mostly that all the resources that WMServer
uses has
the appropriate ACLs to permit NetworkService. And
in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in
the
domain which can be useful in some cases. You can
change
it to an account of your liking, but you will need
to
fix
all the ACLs so that this account has read access
( say
to registry keys, files etc.). Network Service
account
has fairly low privileges compared to
Administrator or
Power User account, so I don't see a reason why
you
want
to create a custom account.
2. I am not sure what other kind of security you
are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you
push
anonymous authentication is tried. The publishing
points
ACL plug-in allows "Write/create" access only to
Admin
users. So, since anonymous users are not allowed,
access
is denied. The server would then attempt to use
negotiate
to authenticate you after that. If you give the
admin
password of the server machine with Negotiate,
that
should enable you to push (Alternatively, if you
don't
want to use Admin account you can create a new
push
account, give that account create/write acces
on "WMS
PUblishing Points ACL Authorization" and then
provide
this account credentials when prompted on the
encoder).
Hope this helps.
Ravi
-
This posting is provided "AS IS" with no
warranties,
and
confers no rights.
-----Original Message-----
OK - 3 seperate questions based upon the
following
setup.
A windows 2003 enterprise server running only
winmed
services. I plan to have on-demand content and
live
webcasts that should be accessible to the world.
The
server sits on its on workgroup and the winmed
encoder
(just for the live webcasts) sits on a corporate
domain.
The encoder and the server have no rights in each
others
domain/workgroups:
1) Is there a benefit to using the built in
account "Network Service" as opposed to an account
I
create?
2) I use an account on the server that I created
and
use
that account for anonymous authentication. That
account
has Read-Only rights on the publishing point's
source
directory. I then use the NTFS ACL authorization
plug-
in. Is that as secure as I can get it? (can't use
WMS
Negotiate Authentication since these feeds need to
be
access by anyone - anywhere).
3) We'd like to push a webcast so that the
encoder
controls the feed/stream. Since the encoder sits
on
one
domain and the server on a totally unrelated
workgroup,
how do I allow the encoder to connect and push the
feed?
I only get access denied. The WMS Publishing
Points
ACL
is configured, but I never get prompted for a
user/pass
Thanks in advance for your time & help.
.
.
.
|
|
|
| Back to top |
|
|
Jon Suyo
Guest
|
| Posted:
Tue Jun 22, 2004 8:08 pm Post subject:
RE: Securing the media server |
|
|
It looks like WMS caches the last used Anon username/pass. It kept using an old one. Once I entered in the new one (and then disabled it), it 'remembered' the newer user/pass. I think i'm good now. Thanks again.
"Ravi Raman" wrote:
| Quote: | The steps I suggested work with a publishing point that
already exists, seems like you are creating a new
publishing point. (I presumed the LIvefeed pubpt. was
precreated in the steps I mention below).
Before you try anything different, can you clarify whether
you are creating a new publishing point with push or
trying to use an existing publishing point?
Also, are you trying the "Copy settings" option at all or
not?
Thx,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
-----Original Message-----
ARGH!!
I finally had time to try this out and i'm running into
the same problem as before. I have the 2 accounts
Push/Play and each have their rights. However, I am still
getting prompted at all times for a user/pass. If I
disable Negotiate, then I can't create the publishing
point. If I leave it enabled, EVERY user connecting gets
prompted for a user/pass - which is unaccectable. It
seems that Anonymous User authentication isn't kicking in
at all.
Harumph!
"Jon Suyo" wrote:
As usual - the answer was staring me right in the
face. Ravi - Thank you so much, you were very helpful.
"Ravi Raman" wrote:
I am not sure about your issue#2, but I believe your
issue
#1 can be resolved:
0. Create your livefeed publishing point and enable
PP ACL
on it.
1. Create a user called "PushAdmin". Add this user to
the
Server level with Write access and at publishing
point
level PP ACL (i.e, on livefeed publishing point) with
Write+Create Access.
2. Create a user called "PushRead". Give this user
Read
access on the your "Livefeed" publishing point. also,
at
the "Server" level, add "Pushread" user to the PP ACL
List
with only read access. [You probably missed the
latter
part]
3. Enable Anonymous User authentication on the
Livefeed
publishing point with the username as "PushRead".
Now the scenario should work. Authorization plug-ins
are "must pass" at both levels. So if you have PP ACL
Plug-
in enabled at server level and publishing point
level,
then your user must have Read access at both levels
to be
permitted to stream from the server. Similarly, the
user
must have "Write" access at both level to push onto a
publishing point.
However, for authentication settings, if a publishing
point level authentication point plug-in is enabled,
it
over rides server level setting. If no publishing
point
level authentication plug-in is enabled, server level
settings are applied.
Hope this helps.
Ravi
--
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
In regards to number 3:
I was able to start a push broadcast but ran into 2
seperate problems:
The bigger problem was that while I was prompted for
credentials to create the stream (due to WMS
Negotiate -
which is was I want), I was unable to play the stream
as a
general user. I need to have the security of
Publishing
Points ACL for creation, but the 'ease' of anonymous
authentication for playback.
The only way around this was for me to use the same
user
that has permissions under Publishing Points ACL as
the
user in Anonymous User Authentication. But to get
that to
work, I needed to disable WMS Negotiate. It appears
like
I get either security or ease. I'd like to get both
(prompt for user/pass when creating a PUSH feed and
at the
same time allow any user to connect and view it
without
getting prompted)
The second issue is that when I tell the encoder to
copy
the settings of the publishing point that I set up
for
Encoder Push (the same publishing point that I got to
work
above), it doesn't see to copy the anonymous user
that is
used.
As I mentioned earlier in question 2 - I have set
the
NTFS ACLS for my On Demand playback directory to
allow
ONLY read access to user 'ondemand'. I then set
Anonymous
User Authentication and supply the credentials for
user 'ondemand'.
I created a user called 'livefeed' and granted it
rights
under Publishing Points ACL to create the a new
publishing
point. I'd like to end up using that same user for
Anonymous User authentication (like I did above) but
when
I copy the settings from my working (PUSH) publishing
point, it sets the user 'ondemand' as the anon user
rather
than the 'livefeed' user. I disabled the global
Anonymous
User authentication plugin, so I don't know where/why
it
keeps picking up the 'ondemand' user.
"Ravi Raman" wrote:
1. Mostly that all the resources that WMServer
uses has
the appropriate ACLs to permit NetworkService. And
in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in
the
domain which can be useful in some cases. You can
change
it to an account of your liking, but you will need
to
fix
all the ACLs so that this account has read access
( say
to registry keys, files etc.). Network Service
account
has fairly low privileges compared to
Administrator or
Power User account, so I don't see a reason why
you
want
to create a custom account.
2. I am not sure what other kind of security you
are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you
push
anonymous authentication is tried. The publishing
points
ACL plug-in allows "Write/create" access only to
Admin
users. So, since anonymous users are not allowed,
access
is denied. The server would then attempt to use
negotiate
to authenticate you after that. If you give the
admin
password of the server machine with Negotiate,
that
should enable you to push (Alternatively, if you
don't
want to use Admin account you can create a new
push
account, give that account create/write acces
on "WMS
PUblishing Points ACL Authorization" and then
provide
this account credentials when prompted on the
encoder).
Hope this helps.
Ravi
-
This posting is provided "AS IS" with no
warranties,
and
confers no rights.
-----Original Message-----
OK - 3 seperate questions based upon the
following
setup.
A windows 2003 enterprise server running only
winmed
services. I plan to have on-demand content and
live
webcasts that should be accessible to the world.
The
server sits on its on workgroup and the winmed
encoder
(just for the live webcasts) sits on a corporate
domain.
The encoder and the server have no rights in each
others
domain/workgroups:
1) Is there a benefit to using the built in
account "Network Service" as opposed to an account
I
create?
2) I use an account on the server that I created
and
use
that account for anonymous authentication. That
account
has Read-Only rights on the publishing point's
source
directory. I then use the NTFS ACL authorization
plug-
in. Is that as secure as I can get it? (can't use
WMS
Negotiate Authentication since these feeds need to
be
access by anyone - anywhere).
3) We'd like to push a webcast so that the
encoder
controls the feed/stream. Since the encoder sits
on
one
domain and the server on a totally unrelated
workgroup,
how do I allow the encoder to connect and push the
feed?
I only get access denied. The WMS Publishing
Points
ACL
is configured, but I never get prompted for a
user/pass
Thanks in advance for your time & help.
.
.
.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in