I'm setting up a windows service that monitors other services and will restart them if they get disconnected. For security reasons I've decided to run this service on a special "service" account and for each service it's supposed to have access to it granted to the service account by an administrator.
In order to do this I'm using the "ServiceController" class. I've been able to get it to work with local computer services but when I attempt to connect to a another network on the computer I get an invalidoperationexception. Is there a "browse" or "discover" permission that I can give to the service account?
'First line throw exception even though the service account has permission set for that 'particular service and that particular machine. Again works fine if the service is 'located on same machine
services = ServiceController.GetServices(serviceComputer).ToList()
Dim serviceOfInterest As ServiceController = (From service In _
services.DefaultIfEmpty(Nothing) _
Where service.ServiceName = "SomeServiceName" _
Select service).SingleOrDefault()
serviceOfInterest.Start();
The permissions you need are described here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx.
Specifically, to obtain list of services you need SC_MANAGER_ENUMERATE_SERVICE. According to the table in the link above this permission is granted to:
Local authenticated users
LOCAL SYSTEM
BUILTIN\ADMINISTRATORS
apparently when connecting remotely the first two options are out, you only have one option left -- being part of the local administrators group.
Related
I have two systems, one is an ERP and the other is a POS application, and i have a customer which uses an usb token to assign some files. I have two scenarios:
When i use the ERP to assign a file, he calls a application which is made just for do it, its called DFe and it works well, he finds the certificate.
In my POS, to do the same operation, it calls general service application who menages all our system, and this service call DFe, but when DFe is called from my general service, it doesn't find mine certificate, Windows returns the error "key set is not defined". I already did my service logon with user's credentials, but it didn't worked
Why my application doesn't find the certificate in this second scenario?
PS: The system is Windows 7
I solved the problem moving the certificate from local user to computer local on mmc.exe, I set the service to run on local computer and it works
When trying deploy my Release to a Server using a local Admin Account at the Server i get the Message:
7-05-09T08:12:50.6866361Z 2017/05/09 10:12:50 ERROR 5 (0x00000005) Getting File System Type of Destination \\server\C$\temp\
2017-05-09T08:12:50.6866361Z Access is denied.
during the robocopy to the remote server.
When trying to use my domain Account (also Administrator) it works without any problems.
What am i missing?
Make sure that the UNC path \\server\C$\temp\ could be achieved by the local account you used as build service account.
I suggest that you use domain user to access the domain resources. Or you could share that folder \\server\C$\temp\ to Everyone and give the Read and Write permission.
If you insist to use a local account, as a workaround:
local accounts on each member server where the shared folders are
stored will have to be created to directly map to the same
username/password combinations the users are using on each local
machine. For example, on client 1, local user named A, password xxxx,
on the server which stores the shares, you need to create a local user
named A with the same password xxxx.
I developed an application in Delphi 2010 that reads XML data from a transactional queue. It works fine if the queue is local or remote and I don't have to set permissions in both cases.
Now I have to convert that application into a Windows Service. I copied and pasted the same application into the service code, but when I try to read the queue I get the "Access denied" error. I'm doing the tests on my local machine.
Some people say that it's a matter of permissions. I found here in Stack Overflow some posts to the same problem but I didn't find the solution.
Any ideas? I'm using Windows 7 as well.
If you are running the application locally, you are running it under your Windows logon credentials. Services by default are launched under a different user account which may not have the same rights as your account does.
Bring up the service manager (start->services.msc), find your service in the list, right click it and select Properties. Then select the Log On tab and change it to a specific account name/password. (Use your account name / password.) You'll then be executing the code using the same credentials so your Access Denied error should go away.
I built a sample application for dcom by following the steps given in this link.
After building the client and test DCom server, i tried to run client in my system and it worked correctly. But if i try to rum client from remote location, an error message is coming saying "Access is denied".
How can i run my client in remote location?
And also will i able to see the test DCOM Server in dcomcnfg.exe?
If yes where can i see it?
I was able to see it in regedit.
You might well have already done this, but can I just cover some basics...?
Go to the "Component Services" MMC snap-in, right-click on "My Computer" there and select "Properties".
In the "Default Properties" tab, make sure that "Enable Distributed COM on this computer" is enabled.
In the "COM Security" tab, make sure the access, launch and activate permissions are configured to allow the scenario you're in.
The followings are what I have got so far, but I am still digging, you may find a better way anyway. Do the followings with elevated permission.
First run the server.exe on both computer to register them (/regserver).
Add incoming firewall rules on server machine to accept incoming client DCOM connection.
Define same user with same password on both computer (assuming you are not in a Domain). Add them to "Distributed COM Users".
run DCOMCNFG and do the followings:
Console Root>Component Services>Computers>My Computer>Properties>Default Properties>Enable Distributed COM on this computer
Console Root>Component Services>Computers>My Computer>Properties>Default Properties>Default Authentication Level>Connect
Console Root>Component Services>Computers>My Computer>Properties>Default Properties>Default Impersonation Level>Identify
Console Root>Component Services>Computers>My Computer>Properties>Default Protocols>Connection-oriented TCP/IP
Console Root>Component Services>Computers>My Computer>Properties>COM Security>Access Permissions>Edit Limits>Add "Distributed COM Users" with Local and Remote Access enabled
Console Root>Component Services>Computers>My Computer>Properties>COM Security>Lunch and Activation Permissions>Edit Limits>Add "Distributed COM Users" with Local and Remote Lunch and Activation enabled
Under My Computer find the server (it should be there if it is registered correctly)
server.exe>Properties>General>Authentication Level>Default
server.exe>Properties>Location>Run application on this computer enabled
server.exe>Security>Lunch and Activation Permissions>Customize>Edit>Add Distributed COM Users with Local and Remote Lunch and Activation enabled
server.exe>Security>Access Permissions>Customize>Edit>Add Distributed COM Users with Local and Remote Access enabled
server.exe>Endpoints>DCOM-Oriented endpoints>Add Connection-oriented TCP/IP
server.exe>Identity>select The interactive user or The launching user, which one is appropriate
After the above setting I am always able to call implemented server interface from the client application.
I hope it helps,
Zonouzi
I am attempting to programmatically FTP a backup file that is stored on a SAN device. The device has been mapped on the server. I tested the application by running it from an icon on the desktop and it works perfectly. When I run the program through a windows service I get an error message saying that the drive cannot be found. The account that the service was running under was the local account. I thought the issue might be that account so I created a new user and ran the service under that account. The same error message occurs. Has anyone experienced this before and found a resolution to this problem?
The drive mappings exist only for the logged on user. For this reason they are not visible to the service as it runs on lower level. You need to use some ftp client if you want to use the storage location from a service.
The same problem appears with network shares where you cannot access a network share mapped to a network drives from services. The correct way to access these shares from a service is to use an UNC path similar to "\\SANS\Backuplocation".