I'm working on a Windows Service that one of its tasks is archiving files on remote machine but I've problem regarding access privileges "Access id denied".
The service account is "LocalService",
How can I give service access to remote machine?
-
LocalService cannot have permissions on another machine, so you'll need to change the service account to something else and make sure the account has the necessary permissions on the remote machine.
-
A service on server1 that's running under the Local Service principal and that tries to access the folder on server2 is seen as an anonymous connection attempt that is or isn't allowed depending on the policy of server2. So you need to either allow anonymous access on server2 or change the service account (recommended).
-
You'll need to run the service in a dedicated account (such as a domain account) that both machines recognise. Then grant this account the necessary ACL permissions to access the second machine.
If you aren't on a domain, there are things you can do with having the same username and password...
Another approach is to use the "network service" account - this will authenticate with the identity of the machine that is hosting the service; it can work, but personally I like the dedicated account approach - it makes it easier to achieve granular security, and means you can relocate the service to another host without much effort.
Ahmed : Could you explain how to work with "Network Service" account?Marc Gravell : Well, the account is [yourdomain]\[computername] - just put that account into the ACL on the server you are contacting (for example, on the share permissions dialog, etc). Most installers (including the service installer in .NET) allow you to specify this account...Ahmed : What i got from you is, set Service Account to Network Service, and to set permission for that service on shared folder, right? If yes, how to grant service on shared folder?Marc Gravell : On the shared folder permissions dialog, simply find the account of the other machine. Look for an account-type/object-type option on the screen where you enter the accounts; it will probably default to users; change it to machines...Marc Gravell : for me, these settings are on the "Advanced..." part of the dialog. Or juts enter the domainname\machinename pair directly.Ahmed : Ok, it's working properly now.Ahmed : Marc, will this work in case of no domain?Marc Gravell : I honestly don't know. In theory, yes - but I'm always on a domain, so I can't be sure...Ahmed : Mark, everything is working properly in case of domain, it doesn't work in case of no domain, if you get a solution for this, please notify me. Thanks lot.
0 comments:
Post a Comment