views:

14

answers:

0

We're using BITS to upload files from machines in our retail locations to our servers. BITS will stop transferring a file if the user who owns the BITS job logs off. Therefore, we're using a Windows Service running as LocalSystem to submit the jobs to BITS and be the job owner. This allows transfers to continue 24/7.

However, it raises a question about authentication. We want the BITS server extensions in IIS to use Kerberos to authenticate the client machine. As far as I can tell, that leaves us with only 2 options, both of which are not ideal: Either we create an "ImageUploader" account and store its username/password in a config file that the Windows Service uses as credentials for the BITS job, or we ask the logged on user who creates the BITS job for his password, and then use his credentials for the BITS job. I guess the third option is not to use Kerberos, and maybe go with Basic Auth plus SSL.

I'm sure I'm wrong and there's a better option. Is there?

(By the way, here's a blurb from BITS documentation about Service Accounts, impersonation and BITS):

Service Accounts and BITS You can use BITS to transfer files from a service. The service must run as the LocalSystem, LocalService, or NetworkService system account. Jobs created by the system account are owned by that account. Because system accounts are always logged on, BITS transfers the files as long as the computer is running and there is a network connection. If a service running under a system account impersonates the user before calling BITS, BITS responds as it would for any user account (the user must be logged on). For more details on using a service with BITS, see the Platform SDK.

Thanks.