Guest Ricardo Vazquez Posted October 26, 2007 Posted October 26, 2007 Hi everybody, MY PROBLEM: An application I've developed as a Windows Service, which is running at a Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server (ANDROMEDA), to a shared folder called "Recordings". --> None of them are a domain server (no active-directory) --> None of them are in any domain at all. Both of them are in a work-group called SSSHHHH. I add full control permision in Andromeda's folder "Recordings" for user "Ricardo", which I created in Andromeda; and also full permision for user "Everyone" (thanks to user "Everyone" my service has been working fine before Win2003). I have added this permisions in both tabs "Sharing" and "Security" in folder properties. If opened manually from Correo, it asks me for user and password: I enter "ANDROMEDA\Ricardo", and it opens the folder and I can actually write. But my service can not: "Error MoveFile: Access denied". It seems to be logical, since the "user" (account) which runs the service is "LocalSystem" and not "ANDROMEDA\Ricardo". SOLUTIONS THAT I'VE TRIED: Possible solutions I've thought of? - Either I give permision to that Correo's "LocalSystem" on Andromeda to write on "Recordings" - Or I make the service run with another user-password: "ANDROMEDA\Ricardo", as I did when I manually opened the folder. I fail to carry out any of the two solutions: The first solution: According to the documentation that I found on the internet, Local System account appears on the network as DOMAIN\<machine name>$: http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH But here we have no "domain". I still attempted to give permission in folder "Recordings" to CORREO$, didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I also tried without the "$": nothing. Then I tried using the user-list (Add / Advanced / Search now - there is no more "location" that the very local pc), and I added total permision both Share and Security to "Everyone", "LOCAL SERVICE", "Network Service", "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see if any of this users would ring the bell... Nothing! The second solution: Change the user that runs my service to ANDROMEDA\Ricardo. I tried to change it ("Session start" tab in my service properties), but clicking "Apply" it won't let me, poping-up that "The name of the account is invalid or does not exist, or the password is invalid for the account name specified." Then I tried to change the account to "network service", -this account sounded so well to me-, "AUTHORITY\NetworkService". But when I try to start my service it quickly stopped: "The service has not responded to the petition after an adequate time"; but it says this after just a second! It doesn't look like a real timeout. Rather, it seems that not any service can manually switch and use this "network service" account. So, I can't think of any other solution! I am newbie to networks and servers ... I do not know what I can do! Could anyone please help me? Thank you very much! Ricardo Vázquez. Madrid, Spain.
Guest Martin X. Posted October 26, 2007 Posted October 26, 2007 Re: Service writing on Win2003 remotely. Hola, I don't if you tried this yet, but did you create an account with the same exact username and password on both servers? Configure your service to use that account/password. Using the account on either server will give you access to the other server. -- Regards, Martin X. MCSA: M "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message news:%23dBKmA9FIHA.5752@TK2MSFTNGP02.phx.gbl... Hi everybody, MY PROBLEM: An application I've developed as a Windows Service, which is running at a Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server (ANDROMEDA), to a shared folder called "Recordings". --> None of them are a domain server (no active-directory) --> None of them are in any domain at all. Both of them are in a work-group called SSSHHHH. I add full control permision in Andromeda's folder "Recordings" for user "Ricardo", which I created in Andromeda; and also full permision for user "Everyone" (thanks to user "Everyone" my service has been working fine before Win2003). I have added this permisions in both tabs "Sharing" and "Security" in folder properties. If opened manually from Correo, it asks me for user and password: I enter "ANDROMEDA\Ricardo", and it opens the folder and I can actually write. But my service can not: "Error MoveFile: Access denied". It seems to be logical, since the "user" (account) which runs the service is "LocalSystem" and not "ANDROMEDA\Ricardo". SOLUTIONS THAT I'VE TRIED: Possible solutions I've thought of? - Either I give permision to that Correo's "LocalSystem" on Andromeda to write on "Recordings" - Or I make the service run with another user-password: "ANDROMEDA\Ricardo", as I did when I manually opened the folder. I fail to carry out any of the two solutions: The first solution: According to the documentation that I found on the internet, Local System account appears on the network as DOMAIN\<machine name>$: http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH But here we have no "domain". I still attempted to give permission in folder "Recordings" to CORREO$, didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I also tried without the "$": nothing. Then I tried using the user-list (Add / Advanced / Search now - there is no more "location" that the very local pc), and I added total permision both Share and Security to "Everyone", "LOCAL SERVICE", "Network Service", "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see if any of this users would ring the bell... Nothing! The second solution: Change the user that runs my service to ANDROMEDA\Ricardo. I tried to change it ("Session start" tab in my service properties), but clicking "Apply" it won't let me, poping-up that "The name of the account is invalid or does not exist, or the password is invalid for the account name specified." Then I tried to change the account to "network service", -this account sounded so well to me-, "AUTHORITY\NetworkService". But when I try to start my service it quickly stopped: "The service has not responded to the petition after an adequate time"; but it says this after just a second! It doesn't look like a real timeout. Rather, it seems that not any service can manually switch and use this "network service" account. So, I can't think of any other solution! I am newbie to networks and servers ... I do not know what I can do! Could anyone please help me? Thank you very much! Ricardo Vázquez. Madrid, Spain.
Guest Ricardo Vazquez Posted October 29, 2007 Posted October 29, 2007 Re: Service writing on Win2003 remotely. Hola Martin! :-) I'm afraid it did not work... The reason could be that Correo (Win2000) lets ".\ Ricardo" to be the user for my service (if I enter "Ricardo" it corrects it as ".\Ricardo"). But Andromeda won't let me set permisions for ".\ Ricardo" (Shared and Security tabs) in shared folder "Recordings", but "ANDROMEDA\Ricardo"! If I enter ".\Ricardo" or just "Ricardo" Win2003 corrects it as "ANDROMEDA\Ricardo". I guess this is the problem why Andromeda (Win2003) will not consider the service and the folder users to be the same "Ricardo" user, so it will not let the service access the folder. I tried and got the same error: Access Denied... Can you think of any other possibility? Thank you very much, Martin! Kind regards, Ricardo. > Hola, > > I don't if you tried this yet, but did you create an account with the same > exact username and password on both servers? Configure your service to use > that account/password. Using the account on either server will give you > access to the other server. > > -- > Regards, > Martin X. > MCSA: M > > > "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message > news:%23dBKmA9FIHA.5752@TK2MSFTNGP02.phx.gbl... > Hi everybody, > > MY PROBLEM: > An application I've developed as a Windows Service, which is running at a > Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server > (ANDROMEDA), to a shared folder called "Recordings". > --> None of them are a domain server (no active-directory) > --> None of them are in any domain at all. > Both of them are in a work-group called SSSHHHH. > I add full control permision in Andromeda's folder "Recordings" for user > "Ricardo", which I created in Andromeda; and also full permision for user > "Everyone" (thanks to user "Everyone" my service has been working fine > before Win2003). I have added this permisions in both tabs "Sharing" and > "Security" in folder properties. > > If opened manually from Correo, it asks me for user and password: I enter > "ANDROMEDA\Ricardo", and it opens the folder and I can actually write. > > But my service can not: "Error MoveFile: Access denied". > It seems to be logical, since the "user" (account) which runs the service > is > "LocalSystem" and not "ANDROMEDA\Ricardo". > > > SOLUTIONS THAT I'VE TRIED: > Possible solutions I've thought of? > - Either I give permision to that Correo's "LocalSystem" on Andromeda to > write on "Recordings" > - Or I make the service run with another user-password: > "ANDROMEDA\Ricardo", as I did when I manually opened the folder. > > I fail to carry out any of the two solutions: > > The first solution: > According to the documentation that I found on the internet, Local System > account appears on the network as DOMAIN\<machine name>$: > http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH > But here we have no "domain". > I still attempted to give permission in folder "Recordings" to CORREO$, > didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I > also tried without the "$": nothing. > Then I tried using the user-list (Add / Advanced / Search now - there is > no > more "location" that the very local pc), and I added total permision both > Share and Security to "Everyone", "LOCAL SERVICE", "Network Service", > "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see > if > any of this users would ring the bell... Nothing! > > The second solution: > Change the user that runs my service to ANDROMEDA\Ricardo. > I tried to change it ("Session start" tab in my service properties), but > clicking "Apply" it won't let me, poping-up that "The name of the account > is > invalid or does not exist, or the password is invalid for the account name > specified." > Then I tried to change the account to "network service", -this account > sounded so well to me-, "AUTHORITY\NetworkService". But when I try to > start > my service it quickly stopped: "The service has not responded to the > petition after an adequate time"; but it says this after just a second! It > doesn't look like a real timeout. Rather, it seems that not any service > can > manually switch and use this "network service" account. > > > So, I can't think of any other solution! > I am newbie to networks and servers ... I do not know what I can do! > > Could anyone please help me? > > > Thank you very much! > > > Ricardo Vázquez. > Madrid, Spain. > > > > > > > > > > > > > > > >
Guest Martin X. Posted October 30, 2007 Posted October 30, 2007 Re: Service writing on Win2003 remotely. Let's try this from the beginning. 1) Create a regular user account named RICARDO on the CORREO Windows 2000 Server server. Give it the password "password123". 2) Create a regular user account named RICARDO on the Windows Server 2003 server ANDROMEDA, also with the password "passsword123". 3) As you mentioned, you created a folder and share on CORREO named RECORDINGS. Give ANDROMEDA\RICARDO full permissions in both tabs "Sharing" and "Security" in folder properties. 4) Logon to CORREO as RICARDO. 5) Go to START > RUN and type in \\ANDROMEDA\RECORDINGS. See what happens. 6) If that works ok, then on CORREO you need to give CORREO\RICARDO the user rights to run as a service. See http://help.globalscape.com/help/secureserver3/Log_the_server_on_as_a_service.htm and http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/546.mspx?mfr=true If steps 1-5 still do not work, it could be some type of NTLM authentication issue because Windows Server 2003 has some differences in how it authenticates when compared to Windows 2000 Server. Check out the article NTLM user authentication in Windows: http://support.microsoft.com/kb/102716/en-us. Actually, if you have access, try using a Windows XP or Windows Server 2003 computer instead of the Windows 2000 Server computer. -- Regards, Martin X. MCSA: M "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message news:uG4DvYhGIHA.5544@TK2MSFTNGP02.phx.gbl... Hola Martin! :-) I'm afraid it did not work... The reason could be that Correo (Win2000) lets ".\ Ricardo" to be the user for my service (if I enter "Ricardo" it corrects it as ".\Ricardo"). But Andromeda won't let me set permisions for ".\ Ricardo" (Shared and Security tabs) in shared folder "Recordings", but "ANDROMEDA\Ricardo"! If I enter ".\Ricardo" or just "Ricardo" Win2003 corrects it as "ANDROMEDA\Ricardo". I guess this is the problem why Andromeda (Win2003) will not consider the service and the folder users to be the same "Ricardo" user, so it will not let the service access the folder. I tried and got the same error: Access Denied... Can you think of any other possibility? Thank you very much, Martin! Kind regards, Ricardo. > Hola, > > I don't if you tried this yet, but did you create an account with the same > exact username and password on both servers? Configure your service to use > that account/password. Using the account on either server will give you > access to the other server. > > -- > Regards, > Martin X. > MCSA: M > > > "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message > news:%23dBKmA9FIHA.5752@TK2MSFTNGP02.phx.gbl... > Hi everybody, > > MY PROBLEM: > An application I've developed as a Windows Service, which is running at a > Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server > (ANDROMEDA), to a shared folder called "Recordings". > --> None of them are a domain server (no active-directory) > --> None of them are in any domain at all. > Both of them are in a work-group called SSSHHHH. > I add full control permision in Andromeda's folder "Recordings" for user > "Ricardo", which I created in Andromeda; and also full permision for user > "Everyone" (thanks to user "Everyone" my service has been working fine > before Win2003). I have added this permisions in both tabs "Sharing" and > "Security" in folder properties. > > If opened manually from Correo, it asks me for user and password: I enter > "ANDROMEDA\Ricardo", and it opens the folder and I can actually write. > > But my service can not: "Error MoveFile: Access denied". > It seems to be logical, since the "user" (account) which runs the service > is > "LocalSystem" and not "ANDROMEDA\Ricardo". > > > SOLUTIONS THAT I'VE TRIED: > Possible solutions I've thought of? > - Either I give permision to that Correo's "LocalSystem" on Andromeda to > write on "Recordings" > - Or I make the service run with another user-password: > "ANDROMEDA\Ricardo", as I did when I manually opened the folder. > > I fail to carry out any of the two solutions: > > The first solution: > According to the documentation that I found on the internet, Local System > account appears on the network as DOMAIN\<machine name>$: > http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH > But here we have no "domain". > I still attempted to give permission in folder "Recordings" to CORREO$, > didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I > also tried without the "$": nothing. > Then I tried using the user-list (Add / Advanced / Search now - there is > no > more "location" that the very local pc), and I added total permision both > Share and Security to "Everyone", "LOCAL SERVICE", "Network Service", > "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see > if > any of this users would ring the bell... Nothing! > > The second solution: > Change the user that runs my service to ANDROMEDA\Ricardo. > I tried to change it ("Session start" tab in my service properties), but > clicking "Apply" it won't let me, poping-up that "The name of the account > is > invalid or does not exist, or the password is invalid for the account name > specified." > Then I tried to change the account to "network service", -this account > sounded so well to me-, "AUTHORITY\NetworkService". But when I try to > start > my service it quickly stopped: "The service has not responded to the > petition after an adequate time"; but it says this after just a second! It > doesn't look like a real timeout. Rather, it seems that not any service > can > manually switch and use this "network service" account. > > > So, I can't think of any other solution! > I am newbie to networks and servers ... I do not know what I can do! > > Could anyone please help me? > > > Thank you very much! > > > Ricardo Vázquez. > Madrid, Spain. > > > > > > > > > > > > > > > >
Guest Ricardo Vazquez Posted October 31, 2007 Posted October 31, 2007 Re: Service writing on Win2003 remotely. Great!! Thank you very much, Martin! I have it working now! But now I have another similar problem to ask about... I have to go a step further: My scenario so far was win2000 and win2003 without domain, in the same working group; and my service running with the account "Ricardo", created in both computers with the same name and password. Now I need my service working in the following scenario: - win2000 (CORREO) and win2003 (ANDROMEDA) **domain server**, that is: now we have domain, which is: "ANDROMEDA2003.jusan" - And I need my service account to be the services default account, that is: "LocalSystem" (and not "Ricardo"). According to the documentation that I found on the internet, Local System account appears on the network as DOMAIN\<machine name>$: http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH So I have added CORREO as a computer at: Active Directory Users and Computers '- ANDROMEDA2003.jusan '- Computers And then I've given full control permission (both in Security and Shared tabs), folder "Recordings", to CORREO$ (ANDROMEDA2003\CORREO$). With this, my service running on CORREO should be able to write on \\ANDROMEDA\Recordings... But it isn't! Again: Access denied. What do you think of this? Any other hints, or steps to follow...? Kindest regards, thank you very much once again, Ricardo.
Guest Martin X. Posted October 31, 2007 Posted October 31, 2007 Re: Service writing on Win2003 remotely. Good, I'm glad that it was working. I would not recommend running any services under the LocalSystem account if that service needs access to a remote server, which is what you are trying to do. What you should do is create a DOMAIN user account to run your service under. Let's call the account RicardoService. 1) From Active Directory Users and Computers '- ANDROMEDA2003.jusan, create a regular user account named RicardoService. Since this is a domain account, any computer that is a member of the domain can use the account. This is one of the major reasons why you want to use a Windows domain. 2) Give ANDROMEDA2003\RicardoService permission to the Recordings folder via "Sharing" and "Security." 3) On CORREO, give the account ANDROMEDA2003\RicardoService rights to run as a service. See http://help.globalscape.com/help/secureserver3/Log_the_server_on_as_a_service.htm and http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/546.mspx?mfr=true This should now work the same way as it did in the work group. -- Regards, Martin X. Microsoft Certified Systems Administrator: Messaging Philadelphia, Pennsylvania, USA "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message news:ekG%23de%23GIHA.284@TK2MSFTNGP02.phx.gbl... Great!! Thank you very much, Martin! I have it working now! But now I have another similar problem to ask about... I have to go a step further: My scenario so far was win2000 and win2003 without domain, in the same working group; and my service running with the account "Ricardo", created in both computers with the same name and password. Now I need my service working in the following scenario: - win2000 (CORREO) and win2003 (ANDROMEDA) **domain server**, that is: now we have domain, which is: "ANDROMEDA2003.jusan" - And I need my service account to be the services default account, that is: "LocalSystem" (and not "Ricardo"). According to the documentation that I found on the internet, Local System account appears on the network as DOMAIN\<machine name>$: http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH So I have added CORREO as a computer at: Active Directory Users and Computers '- ANDROMEDA2003.jusan '- Computers And then I've given full control permission (both in Security and Shared tabs), folder "Recordings", to CORREO$ (ANDROMEDA2003\CORREO$). With this, my service running on CORREO should be able to write on \\ANDROMEDA\Recordings... But it isn't! Again: Access denied. What do you think of this? Any other hints, or steps to follow...? Kindest regards, thank you very much once again, Ricardo.
Recommended Posts