Forum / Wayk Now - Support

Bookmark with password cannot be saved in a roaming profile if the users have no admin rights

  • Create an Issue
  • Cancel

Hi
We use the bookmark feature with SRD. But a new Bookmark can only be saved when the user have local admin rights, which is not Default in our Company.
Thanks for help

Clock26 days

Hello

I don't have an environment available with roaming profiles to test this, but I have done some checking and believe I understand the problem.

Wayk Now has a built-in credential store - we use it to keep the credentials outside of the bookmark file. The credential store encrypts sensitive information (like passwords) using a master key, which is itself stored in the Windows Credential Store.

The master key is persisted only to the local computer; meaning that although the Wayk credential store and bookmarks will roam with the profile, entries will only be able to be encrypted or decrypted on the machine that originally created them (i.e. the first machine that the user ran Wayk Now).

It is possible to persist entries in the Windows Credential Store so that they are able to roam with the user profile. We need to do proper testing if that is the correct fix, as we will need to ensure backward compatibility. I've opened a ticket internally to track this item and will post back here once I have an update on that.

Thanks and kind regards,

Richard Markievicz

signaturesignature

Clock26 days

Hi
that with the ability to roam with the Profile would be nice, but my Problem is I cannot even create a complete bookmark.
If I try to save a SRD-bookmark without local Admin rights, I get a failure message and the bookmark is created but without the credentials.
If I do the same steps and give the user local Admin rights and run wayknow as Admin the bookmark is sucessfull created.
In the file Explorer I see the difference, that without local Admin rights the file "wayknow.vault" was not created.
Let me know if you need some more information

Clock25 days

Hello

Thanks for the update. The WaykNow.vault file should be written to %APPDATA%\Wayk (i.e. roaming storage); so I believe that the problem is when the non-admin user tries to store the master key in the Windows Credential Store. As I said above, we're using "local" storage for this, which will prevent things from working properly on roaming profiles - but I would expect that the user could still store credentials on the first machine they use (i.e. when WaykNow.vault doesn't already exist).

It can be possible that the user doesn't have access to the path where Windows wants to save the credentials DB. You can determine the path by running:

vaultcmd.exe /list

On my machine, it prints something like this:


Currently loaded vaults:
Vault: Web Credentials
Vault Guid:4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Location: C:\Users\rmarkiewicz\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Vault: Windows Credentials
Vault Guid:77BC582B-F0A6-4E15-4E80-61736B6F3B29
Location: C:\Users\ rmarkiewicz\AppData\Local\Microsoft\Vault


The vault we are interested in is "Windows Credentials". If nothing is listed when you run that command, can you check user permissions on the path %userprofile%\AppDAta\Local\Microsoft\Vault (assuming Windows 10). Can your users read and write there?

That will help us be sure of the issue, although I do believe that changing the options we use to persist the master key will resolve this.

Thanks again and kind regards,

Richard Markievicz

signaturesignature

Clock25 days

My Output of the vaultcmd.exe /list is similar to your Output, exept the username ;-)
My User also has fullpermission on the the path %userprofile%\AppDAta\Local\Microsoft\Vault.


Kind regards from Switzerland

Clock24 days

Hello

Thanks for the update. That is strange indeed - if it's possible to help troubleshoot further, the Windows Credential Store has a command line API that we can use to test if your users are able to store and retrieve credentials. You could try the following:

cmdkey /generic:test-target /user:test /password:test

Assuming it's successful in creating the credential, you can try to list it back out:

cmdkey /list

And then clean up afterwards

cmdkey /delete:test-target

Please let me know if that works or not.

Thanks and kind regards,

Richard Markievicz

signaturesignature

Clock24 days


Hello

I created successfully the credential, also could list and delete it.

Kind regards

Clock19 days

Hello again

Thanks for checking that and providing confirmation for me.

I can see we need to take a closer look at what the problem might be: if the user can create and manage credentials in the local profile, then it should work within Wayk Now as well (although the "roaming" might not truly work as I addressed above).

We have an issue raised for this internally, I will set up an environment that I can test with and post back here when I have some information.

Thanks and kind regards,

Richard Markievicz

signaturesignature

Clock19 days

Hello again

As a small update on this; I'm still working on getting a test environment with roaming profiles together. I also have an idea for a potential workaround that could enable this to work. We're hoping to address this issue for the next release.

Thanks for your patience,

Richard Markievicz

signaturesignature

Clock5 days