ACL Security Configuration for WCF

Picture this: You are demonstrating a sample. You have done the same thing earlier. It always worked. And then it failed with a cryptic exception you never saw before.

Unhandled Exception: System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:2222/. Your process does not have access rights to this namespace


 
This is exactly what hit me while demonstrating a WCF example for the first time on Windows Vista. Of course it was only later I realized it is because of windows Vista. In fact this is what anybody running vista is bound to come across. So I felt duty bound to document it.

Back to the story, it wasn’t really obvious since this was not the first time I was running a WCF application on Vista. I was just demonstrating it for the first time. So WCF and Vista works. There must be a third factor and that is Http. I was using an Http binding for this demonstration.

The main reason for this behaviour is the new security feature of Windows Vista. In the new Operating System all Http Ports and by default reserved to be used by the administrator and by default you no longer use administrator account to execute any application. In Windows Vista, even if you are an administrator the application continues to run in the normal privilege. So there are two different ways we can address this issue:

 

Run As Administrator

While starting the WCF service, make sure you run the application under elevated permission. You can do so either by –

  1. If you need to run it just once (may be for demonstration): Right-click the application icon and select Run as Administrator.
  2. To Run Several times (Mostly a implemented system):
    1. Create Applications Shortcut.
    2. Right Click the shortcut icon -> select properties ->Advanced
    3. Select the check box "Run as Administrator". Press Ok->Ok.
    4. Now run the application using the shortcut.
  3. Start a cmd window with Run as Administrator privilege and start the application.

This approach however, will fail if you want to execute the code from within Visual Studio by pressing Ctrl+F5 or simply F5. Need not add not debug friendly. But above all we did nothing to address Http or security. So let’s try the second approach.

 

Delegate Port to the User Account (under windows vista)


Sounds more geek. Isn’t It. But that is exactly what we need to do. As already discussed, it is Administrator that owns all the Http Port. In the first solution we called administrator to come and execute our application. In this solution, the administrator can delegate a particular Http Port and a Url to another user (under whose account you intend to run the service). So let us see how we can achieve this:

  1. Start Administrator Command Prompt:
     
    Yes this is a one time and compulsory requirement. We can create a shortcut to command prompt and run it with administrative privilege. You may like to see the step 1.b above to elevate the permission of command window (cmd).
     
  2. Delegate a particular port and URL to a different non-administrative user: we need to execute the netsh command with these options

    C:\> netsh http add urlacl url=<actual_url_to_be_delegated> user=<domain\user>

 

For my exception above I used:

C:\> netsh http add urlacl url=http://+:2222/ user=Aum\Vivek

 

Once the activation is done your application works without any problem.

 

Delegate Port to the User Account (under windows 2003)

 

The netsh tool discussed in the previous section is new to windows vista and is likely to be available in the future OS releases. For windows server 2003, however, it doesn’t apply. we use the native 2003 tool httpcfg instead. While most of the step discussed above holds good here also, the syntax of httpcfg is a bit different and a lot for demanding.

 

c:\>httpcfg set urlacl /u http://URL:Port/  /aACL

The Url part in /u switch is similar to the url= part in the netsh command. However, there is another /a switch which defines ACL in SDDL format. A detailed discussion on SDDL is available here.

c:\>httpcfg.exe set urlacl /u http://myhost:2222/ /a "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

Happy Computing…

2 Replies to “ACL Security Configuration for WCF”

  1. This is happening in Windows 2003 as well. We are deploying a windows service (a service host) that runs under a service a/c. I am able to run the service under my a/c since I am adminstrator but when I try to run it as service a/c I get a namespace violation. Typically we do not give a service a/c administrator previleges. The exception points to a website (
    http://go.microsoft.com/fwlink/?LinkId=70353) for a resolution. However for windows 2003 they are suggesting to use the httpcfg tool and one of the parameters that i need to pass is a sting that containts an access control list in the form of Security Descriptor Definition Language (SDDL) string. I do not know much about SDDL and not sure if i want to go that route. Any other work arounds ?

Leave a Reply

Your email address will not be published. Required fields are marked *