views:

1666

answers:

2

Hey guys, here's the setup (bear in mind I'm really struggling with the Windows/.NET security stack i.e. I don't get it):

  • A Windows Service running as LocalSystem on a Windows Server 2003 box.
  • A .NET 3.5 Website running on the same box, under "default" production server IIS settings (so probably as NETWORKSERVICE user?)

On my default VS2008 DEV environment I have this one method, which gets called from the ASP.NET app, which works fine:

private static void StopStartReminderService() {

            ServiceController svcController = new ServiceController("eTimeSheetReminderService");

            if (svcController != null) {
                try {
                    svcController.Stop();
                    svcController.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(10));
                    svcController.Start();
                } catch (Exception ex) {
                    General.ErrorHandling.LogError(ex);
                }
            }
        }

When I run this on the production server, I get the following error from the ServiceController:

Source: System.ServiceProcess -> System.ServiceProcess.ServiceController -> IntPtr GetServiceHandle(Int32) -> System.InvalidOperationException Message: Cannot open eTimeSheetReminderService service on computer '.'.

So my question is, why is this happening, and how do I fix it?

EDIT:

The answer is below, mostly in comments, but to clarify:

  1. The issue was Security related, and occurred because the NETWORKSERVICE account did not have sufficient rights to Start/Stop a service
  2. I created a Local User Account, and added it to the PowerUsers Group (this group has almost admin rights)
  3. I don't want my whole Web App to impersonate that user all the time, so I impersonate only in the method where I manipulate the service. I do this by using the following resources to help me do it in code:

MS KB article and this, just to get a better understanding

NOTE: I don't impersonate via the web.config, I do it in code. See the MS KB Article above.

A: 

Just a hunch, but it does not appear to me the error is necessarily related to security. Did you give the service the same name on the production server?

cdonner
@cdonner: yeah, I suspected that too, but didn't know how I could test it? Yes, the name is the same, its defined in the code, in the ServiceInstaller component. Any ideas on how I could get a definite answer on whether it even is security?cheers
andy
can you start and stop it from the command line, using NET START/STOP?
cdonner
hey man, yeah, running "NET START eTimeSheetReminderService" in the command prompt starts the service successfully
andy
+3  A: 

Try adding this to your Web.Config.

<identity impersonate="true"/>
Phaedrus
hey phaedrus, same error
andy
Is anonymous access enabled in IIS?
Phaedrus
yep, "Enable anonymous access" is ticked
andy
Disable it, enable Integrated Windows Authentication.
Phaedrus
cool, I'll try it out. How will that affect access to the site? it is a public site. Also, can impersonating be done just for that one method? Anyway, I'll try it out to see if it works, thanks, much appreciated.
andy
ah ha! we're getting somewhere. ok, that worked. However, I need Anonymous access turned on, and I'd rather only give special privileges to sections of code that need it. Any ideas? cheers!!
andy
No, running a public site with Integrated Windows Authentication enabled probably isn't the best idea. It's just a way to find out if your problem is in fact related to security. Your probably going to want to enable anonymous access and give the appropriate permissions to the IUSR_<yourcomputername> account so that it has sufficient rights to access your service.
Phaedrus
cool, thanks Phaedrus. yes, I figured you only wanted to eliminate possibilities, awesome. Ok, this is the bit that gets me. So I have to find the Account that my ASP.NET app is running under, right? and then how do I give it rights to access the service, what rights would that be? Is there a way to give it rights to that particular service only, or do I just have to give complete control to the IUSR_etc Account?
andy
cool, thanks, fixed!
andy