Felecha Posted August 27, 2004 Posted August 27, 2004 I'm working on a system that has a several computers that run an alerting system. There are 2 "Host" machines that have no user interface, and one "Admin" station that has an Administrator's application for configuring and reporting. They are on a simple local network, just the 3 machines, no wider access. We do a certain amount of communication between them, using UDP and MessageQueueing and also in one instance a VB.Net Windows Forms application on the Admin station, that has a button that a user can click that will write a new ini file for the system and send it to a network share on the Hosts, named "DataShare". It is simple enough, just using File.Delete and File.Copy, with the normal syntax -- File.Copy("C:\IniFileFolder\Configuration.ini", "\\HostA\DataShare\Configuration.ini"). It's been working for a long time. There is also a Windows Service application written in VB.Net, running on the Admin station. It runs as a Service and receives and processes stuff coming in on the MessageQueue. We want to use it as a means of deleting old, out-of-date log files on the Hosts. There are many logs kept, each one starts a new dated log file once per day, and we figure we will delete logs older than 10 days. I wrote a simple method that works just fine, but I did it as a development version in a Forms application first, since that's easier to debug. I copied the method's code into the Service, built it, installed it, and now I find that it throws an Exception System.UnauthorizedAccessException: Access to the path "\\HostA\DataShare\Configuration.ini" is denied. The exact same code, it works in the Forms version, fails in the Service version. Is there some security aspect to Windows XP Pro that does not allow file access to a Service running on another machine? Quote
Administrators PlausiblyDamp Posted August 27, 2004 Administrators Posted August 27, 2004 The service needs to be configured to run as a user who has permissions to the share - you can do this via Administrative Tools, Services. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Felecha Posted August 27, 2004 Author Posted August 27, 2004 It won't work if it's already set to logon as Local System Account? What account would I give it? On the remote machine that I want to access for the deletes, there's nothing that I know of in the way of restrictive account permissions. Security is not my strong point, so I may ask dumb questions. Quote
Felecha Posted August 27, 2004 Author Posted August 27, 2004 Magic! I went into the dialog boxes and noodled down to where I found a list of accounts and reasoned that I could select the logon that I work under, and gave it the password I use. It worked! What's the deal? Quote
Administrators PlausiblyDamp Posted August 27, 2004 Administrators Posted August 27, 2004 Local System Account has fairly unlimited access to the local machine but no access to network resources. Using a network (Domain) account gives access to whatever that account can do - you may want to create a specific account for the service to run under - at the moment it can do everything you can which may be more than it needs. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Felecha Posted August 27, 2004 Author Posted August 27, 2004 In playing with it I found only that I had to create a User that I added to the Administrators group. It doesnt seem to matter if there is a User account at the remote end that matches. I found I could not create a plain user and get in even if there is a matching user at the other end. What would I want it to do and not do. I really don't know much about this. Ever since I got on a computer I just log on and start working without knowing about this stuff. Quote
Administrators PlausiblyDamp Posted August 28, 2004 Administrators Posted August 28, 2004 How did you create the user? If you are in a networked environment then if the account is a domain account it will be usable on all computers in the domain. You are probably better giving the account you've created just enough permissions to getthe job done rather than too much access, giving accounts administrative access is generally a bad idea as they are then open to abuse (an admin account can do pretty much anything and everything on the network!) Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Felecha Posted August 29, 2004 Author Posted August 29, 2004 it's just a workgroup. Is there a lesser level than Administrator that I can give it? It may not be a big concern. The system is literally just 3 computers. By the customer's specification, in the contract, there is to be no other network access to the system. It's just its own little 3-machine world. Quote
Felecha Posted August 30, 2004 Author Posted August 30, 2004 Can it be set in the Properties of Me.ServiceProcessInstaller.Account? I was thinking it is probably something that can be set rather than having to do it manually in the Services Console window. I found the Account property, but it's puzzling - when I try to use ServiceProcess.ServiceAccount.NetworkService I get an Exception saying access to a local file path is denied (I'm writing the file locally and copying it to the remote machine). It doesn't matter if I use a username and password or not. If I try to use ServiceProcess.ServiceAccount.User I get a failure to install the Service at all, with the message that the account name is invalid or does not exist, or the password is invalid. It doesn't matter what account name I try, and I know they are correct account names. ServiceProcess.ServiceAccount.LocalSystem can't get network access, and ServiceProcess.ServiceAccount.LocalService can't access the local file system. What am I doing wrong? Quote
Felecha Posted August 30, 2004 Author Posted August 30, 2004 Trying things. I changed my code to directly create and write the file to the remote system. I originally did it that way because in my Forms application that's what I can do with no problem. Early in my struggles with the difficulties with the Service I thought maybe I could write the file locally and then File.Copy it over to the remote system. So I went back to -- maybe it's not a problem to do FileInfo.CreateText("\\HostA\DataShare\Configuration.ini") after all. So I did that and now when I try Account = NetworkService I get a popup from the Services console when I start the Service, saying that the Service started and then stopped - some services stop if they have nothing to do. That one really puzzles me. What can that mean? If I use Account = LocalService, I get the error "Access to the path "\\HostA\DataShare\Configuration.ini" is denied." I really don't know what to do but blunder around trying this and that. If I set the Service's logon manually in the Services Console, it works, but trying to set it through VB.Net it doesn't. There has to be a piece of the puzzle I'm missing. Thanks Quote
Felecha Posted August 30, 2004 Author Posted August 30, 2004 Even though I CAN set it manually I'm very concerned because some day I will revise the code and reinstall it and forget to set the logon. It will not do anything worse than log errors very quietly if I forget. Or someone other than me will do it and forget. I would really like it to be part of the Installer Quote
Felecha Posted August 30, 2004 Author Posted August 30, 2004 Here's the answer at last! I have to enter the username as "<machinename>\username" Such a simple detail!!! I found the answer on another board where someone had exactly the same problem Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.