Emergency access to any user account
8th of August, 2016 0 comments

Emergency access to any user account

Before we start, let's get a few things clear:

  • This is not a vulnerability in Kentico.
    If your plan is to do something malicious with this tip - go away
  • You need access to the database, preferably via SQL Server Management Studio (SSMS)

For a few times now, I happened to be in a situation where I need to access a user account in Kentico, usually on a production instance. This is something that I handle with impersonation or one of the forgotten password reset methods. However, sometimes the accounts are Global Administrators (which cannot be impersonated), and resetting the password is not an option.

This trick will give you temporary access to any user account, in two steps.

Step one - run the following query on the database of the instance. You will need to replace the AccountUsername to the correct username of the account you wish to access.

DECLARE @AuthGUID UniqueIdentifier = NEWID();
UPDATE CMS_UserSettings SET UserAuthenticationGUID = @AuthGUID
WHERE UserSettingsUserID IN (SELECT UserID FROM CMS_User WHERE UserName = 'AccountUsername');

Step two - Append an authenticationguid query string with the value that the SQL query returned to a URL of the website, and open it in your browser.

For example, to access the Admin section:

This URL will only be valid for one request, so you will need to run the SQL query each time you wish to access the account.

As GUIDs are pretty hard to guess, and the magic URL would only last from the moment you run the SQL query, to the moment you visit the website, this is a safe way to access an account in emergency situations.

Written by Kristian Bortnik