Re: A service's threads outgoing security:how to manage?

From: Willy Denoyette [MVP] (willy.denoyette_at_telenet.be)
Date: 11/20/05 

Date: Sun, 20 Nov 2005 18:55:28 +0100

Manfred,
Your thread doesn't run as the user you specified for your DirectoryEntry
call, the call only creates a network logon session for the connection with
remComp, that is, the client thread uses the token obtained to connect and
accessing the network resource, but this token is not carried over to your
threadpool thread, TP threads always use the process token unless you are
explicitely impersonating (calling LogonUser(), Impersonate()). So, what you
need to do is or impersonate or run your service as a dedicated user with
appropriate access privileges to all remote server.

Willy.

"Manfred Braun" <aa@bb.cc> wrote in message
news:u9qf2Js7FHA.3804@TK2MSFTNGP12.phx.gbl...
> Hallo Dave
>
> and much thanks first. But the problem is another. Because there are truts
> between the domains, the running user is not of any importence and I need
> to
> explicitely specify credentials [which are different for different
> computers
> I connect to]. I create a session with:
>
> DirectoryEntry de = new DirectoryEntry("WinNT://remComp,computer", user,
> pass, AuthenticationTypes.Secure);
>
> This works well and I can read the properties of the computer-object from
> the remote box, even my running user does not have [implicit] permissions.
> Now, with the establishes session, I try to modify the remote registry
> with:
>
> System.Diagnostics.EventLog.CreateEventSource
> (
> ec.dynConf.eventlogSourcename,
> "Application",
> "remComp")
> );
> which fails with "General Access Denied Error". So my thread [which is
> from
> the threadpool], lost the permissions anywhere !!!!
>
> Thanks so far and
> best regards,
> Manfred
>
> "D. Yates" <foeman@hotmail.com> wrote in message
> news:OD85Yur7FHA.1140@tk2msftngp13.phx.gbl...
>> Manfred,
>>
>> The problem is probably the service's permissions. You need to have your
>> service run as a user with permission to access the remote computer. Do
>> a
>> google search on Service Permission and you will get a lot of hits.
>>
>> Dave
>>
>> "Manfred Braun" <aa@bb.cc> wrote in message
>> news:%23G94Agp7FHA.1864@TK2MSFTNGP12.phx.gbl...
>> > Hello All!
>> >
>> > I am writing a management application, which has to access remote
> machines
>> > registry via System.Diagnostics.EventLog.CreateEventSource [which is
>> > efficiently a registry access].
>> >
>> > For each machine, I connect to, I create a DirectoryEntry and connect
>> > to
>> > that machine specifying credentials. That's becauase the running user
> does
>> > not has the right permissions [working with different domains, no
> trusts].
>> > The application is written in C# and the action taken is done with
> threads
>> > from the threadpool.
>> > After I created the "secure channel" with the help of the
>> > DirectoryEntry
>> > object , I do the CreateEventSource call, which fails with "General
> Access
>> > Denied Error".
>> >
>> > But this works fine, if the application runs - while testing - as a
>> > console application, but fails, if it runs as a service!!!! It does
>> > also
>> > not work, if I run the app temporarely with the Taskscheduler.
>> >
>> > Because I cannot specify explicit credentials while access the
>> > registry,
> I
>> > have no idea, what to do now. Access to the remote WMI service is well
>> > done specifying explicit credentials.
>> >
>> > I am running Windows Server 2003,en,SP1 and framework 1.1, SP1
>> >
>> > Any help would be great!!
>> > Sorry for crossposting;I am not sure, what's the right/best group.
>> >
>> > Thanks so far and
>> > best regards,
>> > Manfred
>> > Mannheim
>> > Germany
>> >
>>
>>
>
>

Relevant Pages

  • Re: A services threads outgoing security:how to manage?
    ... > explicitely specify credentials [which are different for different ... >> The problem is probably the service's permissions. ...
    (microsoft.public.dotnet.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Can a lone computer have Access db problems?
    ... Sorry about the loose use of the term 'edit'. ... nor was his permissions changed). ... certain computers to misbehave). ... When you say he is "authorized", that sounds as if the database is ...
    (comp.databases.ms-access)
  • Re: Custom rights
    ... Try giving user who is adding account View Only Exchange Administrator ... >> To add computers to the domain go to AD Users and Computers. ... you will have to manually configure permissions on that user object ... >>> Look into AD delegation, though you may need to do some custom ...
    (microsoft.public.win2000.security)
  • RE: Windows cannot access \Home-pcc - Error Code 0x80070005
    ... Even though I had sharing set up for Everyone (permissions) to read, ... VIOLA...I had computers talking to each other and ... It would be so nice if Microsoft could make the network setup a tad quicker ...
    (microsoft.public.windows.vista.networking_sharing)