I am using shellobj unit to list network shares with subfolders using IShellFolder interface but it doens't work in windows service application. Can some one advise a way to solve that problem
thanks
As David mentioned you have to make sure your service runs in the correct context. See this post here.
The logon account determines the security identity of the service at
run time, that is, the service's primary security context. The
security context determines the service's ability to access local and
network resources. For example, a service running in the security
context of a local user account cannot access network resources.
Related
I have setup a Linked Service in Azure Data Factory to use in a Copy Activity to access Graph APIs, which require use of the OAuth protocol, which works fine. I now want to extend that to use the same Linked Service with a Web Activity. But in tests, it is returning "Empty Token"; Am I missing a (simple) config. option, or am I misunderstanding something?
Earlier, I used explicit Token fetch, which also works fine, but as my queries will - in Production - take longer than the (default) Token TTL, I did not want to have to implement Token refresh, at least not if the Linked Service will handle it for me.
I'm grateful to https://learn.microsoft.com/answers/users/7986441/carlzhao-msft.html for pointing out that I need also to specify, in the Web Services Settings Tab, the Authentication as Managed Identity, with the accompanying Resource as https://graph.microsoft.com/, for my Use Case
In windows service there is Logon option and there we can select local system or a specific user , hwo does it differ by choosing different options w.r.to service running
Different login credentials have different permissions wrt the resources access.
If you set the logon credential to a user, that user's access may not give the service ample permissions to use whatever resources are necessary for it to function.
So setting the right user/service account for the service is important.
How do I know what account is right for the service?
If it is a service installed by a program (or something that already was installed with Windows) then the account should be correct.
If however it is some service you created (via some programming language), then you'll have to figure out what resources are required for that service to run properly and find the correct user/service account.
So I have Windows Server 2016 TP5 and I'm playing around with the containers. I am able to do basic docker tasks fine. I'm trying to figure out how to containerize some of our IIS-hosted web applications.
Thing is, we usually use integrated authentication for the DB and use domain service accounts for the app pool. I currently don't have a test VM (that is in a domain) so I can't test if this will work inside a container.
If the host is joined to an AD domain, are its containers also part of the domain? Can I still run processes using domain accounts?
EDIT:
Also, if I specify the "USER" in the dockerfile, does this mean that my app pool will run using that (instead of the app pool identity)?
There are at least some scenarios where AD-integration in Docker container actually works:
You need to access network resources with AD credentials.
Run cmdkey /add:<network-resource-uri>[:port] /user:<ad-user> /pass:<pass> under local identity that needs this access
To apply the same trick to IIS apps without modifying AppPoolIdentity you'll need a simplest .ashx wrapper around cmdkey (Note: you'll have to call this wrapper in run-time, e.g.: during ENTRYPOINT, otherwise network credentials will be mapped to different local identity)
You need to run code under AD user
Impersonate using ADVAPI32 function LogonUser with LOGON32_LOGON_NEW_CREDENTIALS and LOGON32_PROVIDER_DEFAULT as suggested
You need transport layer network security, like when making RPC calls (e.g.: MSDTC) to an AD-based resources.
Set up gMSA by using any guide that suites you best. Note however, that gMSA requires Docker host to be in the domain.
Update: this answer is no longer relevant - was for 2016 TP5. AD support has been added in later releases
Original answer
Quick answer - no, containers are not supported as part of AD so you can't use AD accounts to run processes within a container or authenticate with it
This used to be mentioned on the MS Containers site but the original link now redirects.
Original wording (CTP 3 or 4?):
"Containers cannot join Active Directory domains, and cannot run services or applications as domain users, service accounts, or machine accounts."
I don't know if that will change in a later release.
Someone tried to hack around it but with no joy.
You can't join containers to a domain but if your app needs to authenticate then you can use managed service accounts. Saves you the hassle of having to deal with packaging passwords.
https://msdn.microsoft.com/en-us/virtualization/windowscontainers/management/manage_serviceaccounts
I'm so confused.
Consider the following:
Active Directory environment with a domain called DOM
An IIS 7 box with a NetBIOS name VS1
A DNS record providing an alias for VS1 as pineapple.london.uk.corp
An Application Pool running as DOM\PineappleService
Windows Authentication enabled.
Clients use HttpWebRequest to call the XML/JSON ASP.NET services on the box.
The service calls out to workstations on the network to gather information. This works in development where I use IIS Express which runs as me, since IISX is just an .exe
In production, services work fine, authentication works, but invoking functions that cause the service (running as PineappleService) to access stuff on the network, fails.
I suspect an SPN registration issue but I don't know what SPNs to setup.
Most recently, I've stumbled across this article which seems to say fly in the face of some other articles:
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Note that it says
The SPN requirements remain the same as above. You don't have to add
SPNs like http/ for the Domain1\Username1
unlike in IIS 6.0 (where we had to add an SPN of the form
http/ for the Application Pool identity).
So I don't know what's right anymore. I don't know if I need to register HTTP SPNs or HOST SPNs or use the DNS alias or the NetBIOS name, and set them on the PineappleService account or on the VS1 computer account.
I can't tell if when I try things that there's a slow AD replication issue that means I must wait an hour between trial and error.
It's all so complicated now. I've worked as a sysop and dev for 15 years and I sense the end of domains and workstations and rights and policies. It's all gotten too much.
Thanks for your help.
Luke
This is a cross-post with ServerFault which is getting no answers:
https://serverfault.com/questions/417483/serviceprinciplename-setup-for-web-service-on-iis-
I created a Windows service and installed into users machine.
That windows service is very important and I do not want to user can change its startup type to "disable".
It seems "Plug and Play" service can disable the Startup drop-down listbox.
How can I make same behavior for my windows service?
I would imagine it has to do with setting the appropriate permissions on the registry key. But a user with sufficient permissions can do anything. If this is for a business application, I would try to stick to using group policy or user permissions. If this is for a commercial application then I would expect a lot of upset users and malware detection.