What permissions for NETWORK SERVICE account to read share on Win 2003 computer?
Solution 1
Is there a reason it has to run as Network Service? For security purposes I would create a domain user account, run the service as the domain user, and assign the necessary permissions to the user.
Solution 2
DOMAIN\machinename$
The network service account appears as this when conencting/authenticating to other servers
I know this works because I have a web server app pool using network service that connects to a SQL Server with the dollar account.
Edit: have you ever tried to search google for "machinename$"... aarrgghh.
Solution 3
That does sound like it should work. I would try 1) Impersonate a normal domain user account for the network access instead of network service. This will check that your impersonation is working and is valid for network resources. 2) Change the share and NTFS permissions to explicitly grant access (probably start by granting full control) to the specific computer account that you are testing this on.
Give this a go and update your question with how you get on. Might give us a bit more of an idea about the problem.
If it starts to look like a problem with your call to LogonUser then you might get a better response on StackOverflow.
I have had odd problems in the past when trying to get computers to authenticate properly as network service. I normally work around the problem now by using a domain account that has been granted the exact permissions required for the task.
Related videos on Youtube
Ed Guiness
Author of Ace the Programming Interview I also run socialcoder.org, a volunteering site for programmers. @KiwiCoder on twitter
Updated on September 17, 2022Comments
-
Ed Guiness over 1 year
I have an XP SP3 machine running a service (written by me) that runs as
NT AUTHORITY\NETWORK SERVICE
in order to access a network share. With filemon.exe I can see this service attempting toOPEN
the network share but gettingACCESS DENIED
.The network share is a folder on a Windows Server 2003 SP1 machine, and this folder has share permission =
Everyone
(read) and NTFS permission =Domain Computers
(read + execute + list folder contents). It has no other permissions explicitly granted, but inherits default permissions fromC:\
. I have verified that the XP machine is a member ofDomain Computers
.On the machine sharing the folder I can see Successful Network Logon events from the XP machine.
On the XP machine I see only ACCESS DENIED when my service tries OPEN specific files on that folder.
It feels like I'm missing some vital step but I appear to have run out of SysAdmin clues.
-
Tubs almost 15 yearsYou could try a Null session share?
-
Ed Guiness almost 15 years@Tubs I tried the advice at support.microsoft.com/kb/289655 but still access denied.
-
Mark about 12 years
-
-
Ed Guiness almost 15 yearsIn fact this service runs most of its life as LOCAL SYSTEM, in order to perform various admin tasks that the domain user should not be able to. It only impersonates NETWORK SERVICE (via LogonUser API) in order to access network share.
-
Ed Guiness almost 15 yearsHelpful suggestions, thanks. Since Filemon.exe shows that the attempt is being made as NETWORK SERVICE I guess I'm safe assuming that LogonUser worked?
-
SpaceManSpiff almost 15 yearsI prefer when services are each configured as their own accounts, allows you tigher control over the allow/deny access.
-
Ed Guiness almost 15 yearsSure, and I may go that way, but in the meantime I have this problem with NETWORK SERVICE... I'd like to understand that problem and hopefully the solution before moving on to something else.
-
pipTheGeek almost 15 yearsIt sounds like it. But I have learnt from lots of poking at web sites to try and figure out the missing link in a delegation chain not to make assumptions about what is / or is not working.
-
Ed Guiness almost 15 yearsIndeed, and I've tried adding domain\machine$ to both share and NTFS permissions... but still ACCESS DENIED.