I was wondering what privileges I needed to let a user start a service on our server.
The situation is as follows, some people on our website can start a certain service on the server (Windows 2008 and IIS7). The way that worked so far with me was specifying the application pool I created with my user account (the impersonate method from msdn doens't work for some reason). Now however I want to change that user account to a user account who only has the priviliges to start and stop a service (and everything that is needed to get him to do that).
The website is written in ASP.NET and C#. I use the ServiceController to start and stop my services.
Which privileges should I assign to that user?
EDIT: I just want to clear some things up here. I managed to get this thing working through the Application pool (although it doesn't work through debugger). But it only works with a user that is part of the Administrators group which isn't what I want. I want to specify a special user that will only be able to start and stop the service through the website. So what privileges do I need? Please be specific.
EDIT 2: I found out why my service wouldn't start in the debugger. I didn't run Visual Studio with administrator rights. I feel so stupid right now.. Anyway the question still stands as I still need my special user with the correct permissions.
Any comment will be appreciated!
Kind regards,
Floris Devriendt
You have to set identity impersonate to true in your web.config and if you are using windows authentication then need to set that up in IIS. if you are using a WCF service in between you may have to look at Impersonation in WCF.
(Terminology gripe) - you shouldn't be looking at privileges, since those apply across a machine as a whole. You should be looking at permissions.
There's an answer here about allowing remote users to start and stop a service. You may need to run the same steps to allow the account your website is under the specific permissions, that is:
Copy the IA users permissions on the scmanager, to allow a non-interactive user to access the service controller, and
Add appropriate permissions for your user against the specific service.
Both of these actions use the sc command line tool. Hopefully, you can crib enough together for your specific circumstances. Something like:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
where S-1-5-3-3127463467463 is the SID for the website account, and:
sc sdset Alerter D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;S-1-5-3-3127463467463)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
whwere Alerter is the name of the specific service, and S-1-5-3-3127463467463 is again the SID for the website account.
(Not sure whether to break up these commands to make them more readable on SO - they need to have no line-breaks when running in the command line)
you have to give the right for strating your service to the user that you are using for the application pool.
Click Start, point to Settings, click Control Panel, and then double-click Administrative Tools.
Double-click Services
On the Log On tab, click Local System Account, and then click Apply.
On the General tab, click Start to restart the service.
Quit the Services tool.
Related
I am currently developing a web application with an MVC architecture in C # by following this tutorial: https://learn.microsoft.com/fr-fr/outlook/rest/dotnet-tutorial
The problem is that I use permissions that only an Administrator can validate, so when I click to authenticate, an Administrator must use his account to validate the application, then I reconnect with my account to do my tests.
Every time I recompile, the admin must validate again.
Since I compile very often and I do not have(and can not have) admin rights, I would like to find a way to automate the resolution of this problem
If the admin must put an id and a password in the code, they want to make sure that I can not see it.
Is there a specific right to handle this?
I'm trying to delete a user profile folder suing C# and ASP.net, when i do this through windows UI i get a UAC prompt which is fine.
I wish to this programmatically using ASP.net & C# .
The objective is for admin users to launch a webform and do this remotely on workstation but i'm currently getting permission errors.
(im running visual studio as admin in my debugging environment to delete local users)
{"Access to the path 'C:\Users\nzsp2013admin\AppData\Local\Microsoft\Windows\Application ..... is denied."}
code:
var dir = new DirectoryInfo("C:\Users\nzsp2013admin");
dir.Attributes = dir.Attributes & ~FileAttributes.ReadOnly;
dir.Delete(true); // true => recursive delete
This has to do with the permissions which are configured in IIS.
Every ASP.NET application that you run in IIS will be run using an identity that can be managed in the Application Pools section in IIS Manager.
By default, each Application Pool that is created (including the default one) will have permissions within a limited scope.
If I'm honest, the phrase Application Pool makes things sound more complicated than what they actually are. An application pool is just an identity exactly like the one that you use to sign on to your PC, and in your case an identity with normal user permissions is attempting to perform an action that requires a set of higher permissions.
To resolve this, open up IIS.
Click on Application Pools
Select the Application Pool that your web application is running under
Click on Advanced Settings
Click on identity and select Custom identity
Enter the credentials of an account that has administrative privileges.
However, I do have to warn you that you could be opening yourself up to a wide range of security concerns and that there are alternatives such as adding explicit permissions to specific directories that include the identity which the ASP.NET application is running from.
I used this approach and it works very well. With this approach you dont use an account with high level privileges all the time just when required and not for the application execution.
Try to use a domain account and add privileges to the folder or lacation you required. And share the folder so you can use an unc path.
Accessing a Shared File (UNC) From a Remote, Non-Trusted Domain With Credentials
You could use code impersonation:
http://csharptuning.blogspot.com/2007/06/impersonation-in-c.html
http://www.codeproject.com/Articles/14358/User-Impersonation-in-NET
regardless, whomever you use as the impersonation must be able to read/write to the location. We use this method in applications for delete/create folder across network but in theory, you should be able to wrap this around any piece of code, check to see if the user is an admin, and if so use the impersonated user to delete the folder, or however you prefer to do it.
Also, I noticed you mention that you are wanting to do it remotely, but your examples have the local path.
You may also find this useful: Deleting Windows user accounts remotely WCF and C#
I am new to Active Directory and was given a task to fix a bug where a app on one of our servers could not access active directory on another server. The user we are using to bind to active directory is a "Domain Admin" and we are using this user's credentials in a C# application to access active directory with the System.DirectoryServices.AccountManagent classes of .net 3.5.
The server is in the same domain as the active directory server.
After struggling to make the app work, the network administrator set up trust (as a last resort) to the server computer (where the app is installed) and that allowed the app to work.
The network admin said :
"If I open the computer account in AD and click on Delegation (and then select 'Trust this computer for delegation to any service (Kerberos only)' it works!! I can't see why I should need to enable delegation for the server as it's already on the domain anyhow - but it works"
My question is why was this necessary?
It sounds like a programming error where PrincipalContext isn't taking effect. None of these samples change the default service context... If he looks at the event logs he probably sees MachineName$ (dollar sign) logging in.
Try this - Set the service account name from LocalService to the account you want to use with LDAP. It should work, even without domain admin rights.
I need to start a process (.exe console application) as Administrator user from a WCF Service hosted in IIS7 (Windows Server 2008). How can get this?
thank you,
Riccardo
I'm not sure about a WCF service in IIS, however for a basic website, you click on the site (in inetmgr IIS7) and under the IIS section there is an icon called Authentication. Then there are several options in the main box like Anonymous Authentication, etc. Select one and then on the right side hit the edit button. You can specify the user you want the site to execute with. You could select your admin account if you really wanted to.
Again, this is for an IIS website, not WCF service.
Like some of the other commentators say though, giving it a full admin account isn't the right way to go though. I'd create a limited user account w/ the bare minimum privileges.
Just setting the application identity of the pool (in the advanced settings). This is not the final solution, but for now it works.
I have a Windows Service that runs, and currently, it runs under whatever account installed the service onto the computer.
Is there some way, using code, that I can switch the active user that the service runs as, dynamically, without any user interaction or GUI? I'm a little inexperienced when it comes to services, so I'm not sure if this is possible. Any info on the topic would be appreciated. (VB and C# code is okay)
Assuming you included a class that inherits from Installer as part of your service code to handle the service installation you can change the Account for the Service Process Installer component to specify LocalService, NetworkService, LocalSystem or User. However, if you specify User then you will either need to encode the username and password in the code. If you set it to User and don't provide these values then when InstallUtil.exe is run to install the service it will prompt for the Username and Password.