Service writing on Win2003 remotely.

[Guest Ricardo Vazquez]

Hi everybody,

 

MY PROBLEM:

An application I've developed as a Windows Service, which is running at a

Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server

(ANDROMEDA), to a shared folder called "Recordings".

--> None of them are a domain server (no active-directory)

--> None of them are in any domain at all.

Both of them are in a work-group called SSSHHHH.

I add full control permision in Andromeda's folder "Recordings" for user

"Ricardo", which I created in Andromeda; and also full permision for user

"Everyone" (thanks to user "Everyone" my service has been working fine

before Win2003). I have added this permisions in both tabs "Sharing" and

"Security" in folder properties.

 

If opened manually from Correo, it asks me for user and password: I enter

"ANDROMEDA\Ricardo", and it opens the folder and I can actually write.

 

But my service can not: "Error MoveFile: Access denied".

It seems to be logical, since the "user" (account) which runs the service is

"LocalSystem" and not "ANDROMEDA\Ricardo".

 

 

SOLUTIONS THAT I'VE TRIED:

Possible solutions I've thought of?

- Either I give permision to that Correo's "LocalSystem" on Andromeda to

write on "Recordings"

- Or I make the service run with another user-password:

"ANDROMEDA\Ricardo", as I did when I manually opened the folder.

 

I fail to carry out any of the two solutions:

 

The first solution:

According to the documentation that I found on the internet, Local System

account appears on the network as DOMAIN\<machine name>$:

http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

But here we have no "domain".

I still attempted to give permission in folder "Recordings" to CORREO$,

didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I

also tried without the "$": nothing.

Then I tried using the user-list (Add / Advanced / Search now - there is no

more "location" that the very local pc), and I added total permision both

Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",

"SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see if

any of this users would ring the bell... Nothing!

 

The second solution:

Change the user that runs my service to ANDROMEDA\Ricardo.

I tried to change it ("Session start" tab in my service properties), but

clicking "Apply" it won't let me, poping-up that "The name of the account is

invalid or does not exist, or the password is invalid for the account name

specified."

Then I tried to change the account to "network service", -this account

sounded so well to me-, "AUTHORITY\NetworkService". But when I try to start

my service it quickly stopped: "The service has not responded to the

petition after an adequate time"; but it says this after just a second! It

doesn't look like a real timeout. Rather, it seems that not any service can

manually switch and use this "network service" account.

 

 

So, I can't think of any other solution!

I am newbie to networks and servers ... I do not know what I can do!

 

Could anyone please help me?

 

 

Thank you very much!

 

 

Ricardo Vázquez.

Madrid, Spain.

[Guest Martin X.]

Re: Service writing on Win2003 remotely.

 

Hola,

 

I don't if you tried this yet, but did you create an account with the same

exact username and password on both servers? Configure your service to use

that account/password. Using the account on either server will give you

access to the other server.

 

--

Regards,

Martin X.

MCSA: M

 

 

"Ricardo Vazquez" <rvazquez@dummy.com> wrote in message

news:%23dBKmA9FIHA.5752@TK2MSFTNGP02.phx.gbl...

Hi everybody,

 

MY PROBLEM:

An application I've developed as a Windows Service, which is running at a

Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server

(ANDROMEDA), to a shared folder called "Recordings".

--> None of them are a domain server (no active-directory)

--> None of them are in any domain at all.

Both of them are in a work-group called SSSHHHH.

I add full control permision in Andromeda's folder "Recordings" for user

"Ricardo", which I created in Andromeda; and also full permision for user

"Everyone" (thanks to user "Everyone" my service has been working fine

before Win2003). I have added this permisions in both tabs "Sharing" and

"Security" in folder properties.

 

If opened manually from Correo, it asks me for user and password: I enter

"ANDROMEDA\Ricardo", and it opens the folder and I can actually write.

 

But my service can not: "Error MoveFile: Access denied".

It seems to be logical, since the "user" (account) which runs the service is

"LocalSystem" and not "ANDROMEDA\Ricardo".

 

 

SOLUTIONS THAT I'VE TRIED:

Possible solutions I've thought of?

- Either I give permision to that Correo's "LocalSystem" on Andromeda to

write on "Recordings"

- Or I make the service run with another user-password:

"ANDROMEDA\Ricardo", as I did when I manually opened the folder.

 

I fail to carry out any of the two solutions:

 

The first solution:

According to the documentation that I found on the internet, Local System

account appears on the network as DOMAIN\<machine name>$:

http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

But here we have no "domain".

I still attempted to give permission in folder "Recordings" to CORREO$,

didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I

also tried without the "$": nothing.

Then I tried using the user-list (Add / Advanced / Search now - there is no

more "location" that the very local pc), and I added total permision both

Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",

"SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see if

any of this users would ring the bell... Nothing!

 

The second solution:

Change the user that runs my service to ANDROMEDA\Ricardo.

I tried to change it ("Session start" tab in my service properties), but

clicking "Apply" it won't let me, poping-up that "The name of the account is

invalid or does not exist, or the password is invalid for the account name

specified."

Then I tried to change the account to "network service", -this account

sounded so well to me-, "AUTHORITY\NetworkService". But when I try to start

my service it quickly stopped: "The service has not responded to the

petition after an adequate time"; but it says this after just a second! It

doesn't look like a real timeout. Rather, it seems that not any service can

manually switch and use this "network service" account.

 

 

So, I can't think of any other solution!

I am newbie to networks and servers ... I do not know what I can do!

 

Could anyone please help me?

 

 

Thank you very much!

 

 

Ricardo Vázquez.

Madrid, Spain.

[Guest Ricardo Vazquez]

Re: Service writing on Win2003 remotely.

 

Hola Martin! :-)

 

I'm afraid it did not work...

 

The reason could be that Correo (Win2000) lets ".\ Ricardo" to be the user

for my service (if I enter "Ricardo" it corrects it as ".\Ricardo").

 

But Andromeda won't let me set permisions for ".\ Ricardo" (Shared and

Security tabs) in shared folder "Recordings", but "ANDROMEDA\Ricardo"! If I

enter ".\Ricardo" or just "Ricardo" Win2003 corrects it as

"ANDROMEDA\Ricardo".

 

I guess this is the problem why Andromeda (Win2003) will not consider the

service and the folder users to be the same "Ricardo" user, so it will not

let the service access the folder.

 

I tried and got the same error: Access Denied...

 

Can you think of any other possibility?

 

Thank you very much, Martin!

 

Kind regards,

 

Ricardo.

> Hola,

>

> I don't if you tried this yet, but did you create an account with the same

> exact username and password on both servers? Configure your service to use

> that account/password. Using the account on either server will give you

> access to the other server.

>

> --

> Regards,

> Martin X.

> MCSA: M

>

>

> "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message

> news:%23dBKmA9FIHA.5752@TK2MSFTNGP02.phx.gbl...

> Hi everybody,

>

> MY PROBLEM:

> An application I've developed as a Windows Service, which is running at a

> Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server

> (ANDROMEDA), to a shared folder called "Recordings".

> --> None of them are a domain server (no active-directory)

> --> None of them are in any domain at all.

> Both of them are in a work-group called SSSHHHH.

> I add full control permision in Andromeda's folder "Recordings" for user

> "Ricardo", which I created in Andromeda; and also full permision for user

> "Everyone" (thanks to user "Everyone" my service has been working fine

> before Win2003). I have added this permisions in both tabs "Sharing" and

> "Security" in folder properties.

>

> If opened manually from Correo, it asks me for user and password: I enter

> "ANDROMEDA\Ricardo", and it opens the folder and I can actually write.

>

> But my service can not: "Error MoveFile: Access denied".

> It seems to be logical, since the "user" (account) which runs the service

> is

> "LocalSystem" and not "ANDROMEDA\Ricardo".

>

>

> SOLUTIONS THAT I'VE TRIED:

> Possible solutions I've thought of?

> - Either I give permision to that Correo's "LocalSystem" on Andromeda to

> write on "Recordings"

> - Or I make the service run with another user-password:

> "ANDROMEDA\Ricardo", as I did when I manually opened the folder.

>

> I fail to carry out any of the two solutions:

>

> The first solution:

> According to the documentation that I found on the internet, Local System

> account appears on the network as DOMAIN\<machine name>$:

> http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

> But here we have no "domain".

> I still attempted to give permission in folder "Recordings" to CORREO$,

> didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I

> also tried without the "$": nothing.

> Then I tried using the user-list (Add / Advanced / Search now - there is

> no

> more "location" that the very local pc), and I added total permision both

> Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",

> "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see

> if

> any of this users would ring the bell... Nothing!

>

> The second solution:

> Change the user that runs my service to ANDROMEDA\Ricardo.

> I tried to change it ("Session start" tab in my service properties), but

> clicking "Apply" it won't let me, poping-up that "The name of the account

> is

> invalid or does not exist, or the password is invalid for the account name

> specified."

> Then I tried to change the account to "network service", -this account

> sounded so well to me-, "AUTHORITY\NetworkService". But when I try to

> start

> my service it quickly stopped: "The service has not responded to the

> petition after an adequate time"; but it says this after just a second! It

> doesn't look like a real timeout. Rather, it seems that not any service

> can

> manually switch and use this "network service" account.

>

>

> So, I can't think of any other solution!

> I am newbie to networks and servers ... I do not know what I can do!

>

> Could anyone please help me?

>

>

> Thank you very much!

>

>

> Ricardo Vázquez.

> Madrid, Spain.

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

[Guest Martin X.]

Re: Service writing on Win2003 remotely.

 

Let's try this from the beginning.

 

 

 

1) Create a regular user account named RICARDO on the CORREO Windows

2000 Server server. Give it the password "password123".

 

2) Create a regular user account named RICARDO on the Windows Server

2003 server ANDROMEDA, also with the password "passsword123".

 

3) As you mentioned, you created a folder and share on CORREO named

RECORDINGS. Give ANDROMEDA\RICARDO full permissions in both tabs "Sharing"

and "Security" in folder properties.

 

4) Logon to CORREO as RICARDO.

 

5) Go to START > RUN and type in \\ANDROMEDA\RECORDINGS. See what

happens.

 

6) If that works ok, then on CORREO you need to give CORREO\RICARDO the

user rights to run as a service. See

http://help.globalscape.com/help/secureserver3/Log_the_server_on_as_a_service.htm

and

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/546.mspx?mfr=true

 

 

 

If steps 1-5 still do not work, it could be some type of NTLM authentication

issue because Windows Server 2003 has some differences in how it

authenticates when compared to Windows 2000 Server. Check out the article

NTLM user authentication in Windows:

http://support.microsoft.com/kb/102716/en-us. Actually, if you have access,

try using a Windows XP or Windows Server 2003 computer instead of the

Windows 2000 Server computer.

 

 

 

--

Regards,

Martin X.

MCSA: M

 

"Ricardo Vazquez" <rvazquez@dummy.com> wrote in message

news:uG4DvYhGIHA.5544@TK2MSFTNGP02.phx.gbl...

Hola Martin! :-)

 

I'm afraid it did not work...

 

The reason could be that Correo (Win2000) lets ".\ Ricardo" to be the user

for my service (if I enter "Ricardo" it corrects it as ".\Ricardo").

 

But Andromeda won't let me set permisions for ".\ Ricardo" (Shared and

Security tabs) in shared folder "Recordings", but "ANDROMEDA\Ricardo"! If I

enter ".\Ricardo" or just "Ricardo" Win2003 corrects it as

"ANDROMEDA\Ricardo".

 

I guess this is the problem why Andromeda (Win2003) will not consider the

service and the folder users to be the same "Ricardo" user, so it will not

let the service access the folder.

 

I tried and got the same error: Access Denied...

 

Can you think of any other possibility?

 

Thank you very much, Martin!

 

Kind regards,

 

Ricardo.

> Hola,

>

> I don't if you tried this yet, but did you create an account with the same

> exact username and password on both servers? Configure your service to use

> that account/password. Using the account on either server will give you

> access to the other server.

>

> --

> Regards,

> Martin X.

> MCSA: M

>

>

> "Ricardo Vazquez" <rvazquez@dummy.com> wrote in message

> news:%23dBKmA9FIHA.5752@TK2MSFTNGP02.phx.gbl...

> Hi everybody,

>

> MY PROBLEM:

> An application I've developed as a Windows Service, which is running at a

> Windows2000 (CORREO) has to move a file (MoveFileEx) to a Win2003 Server

> (ANDROMEDA), to a shared folder called "Recordings".

> --> None of them are a domain server (no active-directory)

> --> None of them are in any domain at all.

> Both of them are in a work-group called SSSHHHH.

> I add full control permision in Andromeda's folder "Recordings" for user

> "Ricardo", which I created in Andromeda; and also full permision for user

> "Everyone" (thanks to user "Everyone" my service has been working fine

> before Win2003). I have added this permisions in both tabs "Sharing" and

> "Security" in folder properties.

>

> If opened manually from Correo, it asks me for user and password: I enter

> "ANDROMEDA\Ricardo", and it opens the folder and I can actually write.

>

> But my service can not: "Error MoveFile: Access denied".

> It seems to be logical, since the "user" (account) which runs the service

> is

> "LocalSystem" and not "ANDROMEDA\Ricardo".

>

>

> SOLUTIONS THAT I'VE TRIED:

> Possible solutions I've thought of?

> - Either I give permision to that Correo's "LocalSystem" on Andromeda to

> write on "Recordings"

> - Or I make the service run with another user-password:

> "ANDROMEDA\Ricardo", as I did when I manually opened the folder.

>

> I fail to carry out any of the two solutions:

>

> The first solution:

> According to the documentation that I found on the internet, Local System

> account appears on the network as DOMAIN\<machine name>$:

> http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

> But here we have no "domain".

> I still attempted to give permission in folder "Recordings" to CORREO$,

> didn't work; CORREO\CORREO$, didn't work, SSSHHH\CORREO$, didn't either; I

> also tried without the "$": nothing.

> Then I tried using the user-list (Add / Advanced / Search now - there is

> no

> more "location" that the very local pc), and I added total permision both

> Share and Security to "Everyone", "LOCAL SERVICE", "Network Service",

> "SERVICE", "Network", "ANONYMOUS LOGON" and "Authenticated Users", to see

> if

> any of this users would ring the bell... Nothing!

>

> The second solution:

> Change the user that runs my service to ANDROMEDA\Ricardo.

> I tried to change it ("Session start" tab in my service properties), but

> clicking "Apply" it won't let me, poping-up that "The name of the account

> is

> invalid or does not exist, or the password is invalid for the account name

> specified."

> Then I tried to change the account to "network service", -this account

> sounded so well to me-, "AUTHORITY\NetworkService". But when I try to

> start

> my service it quickly stopped: "The service has not responded to the

> petition after an adequate time"; but it says this after just a second! It

> doesn't look like a real timeout. Rather, it seems that not any service

> can

> manually switch and use this "network service" account.

>

>

> So, I can't think of any other solution!

> I am newbie to networks and servers ... I do not know what I can do!

>

> Could anyone please help me?

>

>

> Thank you very much!

>

>

> Ricardo Vázquez.

> Madrid, Spain.

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

[Guest Ricardo Vazquez]

Re: Service writing on Win2003 remotely.

 

Great!! Thank you very much, Martin!

I have it working now!

But now I have another similar problem to ask about...

 

I have to go a step further:

My scenario so far was win2000 and win2003 without domain, in the same

working group; and my service running with the account "Ricardo", created

in both computers with the same name and password.

 

Now I need my service working in the following scenario:

- win2000 (CORREO) and win2003 (ANDROMEDA) **domain server**, that is: now

we have domain, which is: "ANDROMEDA2003.jusan"

- And I need my service account to be the services default account, that

is: "LocalSystem" (and not "Ricardo").

 

According to the documentation that I found on the internet, Local System

account appears on the network as DOMAIN\<machine name>$:

http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

 

So I have added CORREO as a computer at:

Active Directory Users and Computers

'- ANDROMEDA2003.jusan

'- Computers

 

And then I've given full control permission (both in Security and Shared

tabs), folder "Recordings", to CORREO$ (ANDROMEDA2003\CORREO$).

 

With this, my service running on CORREO should be able to write on

\\ANDROMEDA\Recordings... But it isn't! Again: Access denied.

 

What do you think of this?

Any other hints, or steps to follow...?

 

Kindest regards, thank you very much once again,

 

Ricardo.

[Guest Martin X.]

Re: Service writing on Win2003 remotely.

 

Good, I'm glad that it was working. I would not recommend running any

services under the LocalSystem account if that service needs access to a

remote server, which is what you are trying to do. What you should do is

create a DOMAIN user account to run your service under. Let's call the

account RicardoService.

 

 

 

1) From Active Directory Users and Computers

'- ANDROMEDA2003.jusan, create a regular user account named

RicardoService. Since this is a domain account, any computer that is a

member of the domain can use the account. This is one of the major reasons

why you want to use a Windows domain.

 

 

 

2) Give ANDROMEDA2003\RicardoService permission to the Recordings folder via

"Sharing" and "Security."

 

 

 

3) On CORREO, give the account ANDROMEDA2003\RicardoService rights to run as

a service. See

http://help.globalscape.com/help/secureserver3/Log_the_server_on_as_a_service.htm

and

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/546.mspx?mfr=true

 

 

 

This should now work the same way as it did in the work group.

 

 

--

Regards,

 

Martin X.

Microsoft Certified Systems Administrator: Messaging

Philadelphia, Pennsylvania, USA

 

"Ricardo Vazquez" <rvazquez@dummy.com> wrote in message

news:ekG%23de%23GIHA.284@TK2MSFTNGP02.phx.gbl...

Great!! Thank you very much, Martin!

I have it working now!

But now I have another similar problem to ask about...

 

I have to go a step further:

My scenario so far was win2000 and win2003 without domain, in the same

working group; and my service running with the account "Ricardo", created

in both computers with the same name and password.

 

Now I need my service working in the following scenario:

- win2000 (CORREO) and win2003 (ANDROMEDA) **domain server**, that is: now

we have domain, which is: "ANDROMEDA2003.jusan"

- And I need my service account to be the services default account, that

is: "LocalSystem" (and not "Ricardo").

 

According to the documentation that I found on the internet, Local System

account appears on the network as DOMAIN\<machine name>$:

http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx#EBH

 

So I have added CORREO as a computer at:

Active Directory Users and Computers

'- ANDROMEDA2003.jusan

'- Computers

 

And then I've given full control permission (both in Security and Shared

tabs), folder "Recordings", to CORREO$ (ANDROMEDA2003\CORREO$).

 

With this, my service running on CORREO should be able to write on

\\ANDROMEDA\Recordings... But it isn't! Again: Access denied.

 

What do you think of this?

Any other hints, or steps to follow...?

 

Kindest regards, thank you very much once again,

 

Ricardo.