Can't run Windows service from ASP.NET page?

Question

I'm trying to start a Windows service on Windows Server 2003 from an ASP.NET page:

the code of line 35 is:

32.    Dim controller As New ServiceController  
33.    controller.MachineName = System.Environment.MachineName    
34.    controller.ServiceName = "WindowsServiceRealName"  
35.    controller.Start()

The error code is

System.InvalidOperationException: Cannot open WindowsServiceRealName service on computer 'DARWIN'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) at System.ServiceProcess.ServiceController.Start(String[] args) at System.ServiceProcess.ServiceController.Start() at AfconParking.Import.StartService() in E:\ProjectsNet\AfconParking\AfconParking\system\Import.aspx.vb:line 35

Answer 1

The account used for the identity of your ASP.NET application pool ("Network Service" by default) does not have the permissions required to start a service.

To fix this issue, you have a few options:

1. Re-architect your site to not require interactions between ASP.NET pages and the service control manager. I really can't think of a good reason to require this (the service can simply be started at boot time, and remain running: if the service crashes, you should fix the cause of that, and/or use the corrective actions provided by the SCM. If a service restart is needed to kick of some kind of processing, use an IPC mechanism, such as sockets or named pipes, to communicate between your web app and the service instead).

2. Create a service account with the appropriate permissions (basically, membership of the local Administrators group) as described in detail here. Do note that this has several security implications, none of them particularly good.

Answer 2

Services have Access Control Lists (like files etc.). By default most normal and restricted user accounts (including the default account used by ASP.NET workers) do not have permissions to control or see the status any services.

You can either set an ACL on the service that allows the IIS worker to control the service, or run the web application with an account that already has rights.

The latter option would probably give the web application a dangerous level of access (e.g. what would happen if a web user found a security vulnerability), but is a quick approach to confirming that it is a service access permission.

Setting an ACL is the better solution, but I don't think there is a UI to set the ACL (except in group policy) which makes things harder. You'll need to use the command line tools (e.g. SUBINACL.exe)

Answer 3

Its a permissions issue, try to run the application pool with an Identity that has permissions to perform service control operations.

Read this kb to find out how to grant user such a permissions: http://support.microsoft.com/kb/325349