locked
Unable to leverage runAs policy for guest executable based service RRS feed

  • Question

  • Hi,

         Trying to get an asp.net core service hosted as a guest executable (on premise) to run under a domain account. We have a database the uses integrated security and I need this service to
    run under those credentials for access. I've tried to follow the docs as close as possible but keep coming up short. Some event log entries

    - Services.ServiceHostType_App59: End ConfigureSecurityPrincipals: error E_ACCESSDENIED
    - bf865279ba277deb864a976fbf4c200e: App Services.ServiceHostType_App59: SetupApplicationPrincipals failed with E_ACCESSDENIED
    - Error getting user account information for domain\user: status=5, error=E_ACCESSDENIED

    Any help is appreciated...

     
     A simplified app manifest is as follows
    =================================================================================================================================
    ApplicationManifes.xml
    =================================================================================================================================
     
    <ApplicationManifest  >
      
      <ServiceManifestImport>
        <ServiceManifestRef ServiceManifestName="IntegrationServicePkg" ServiceManifestVersion="1.0.0" />
        <ConfigOverrides />
        <Policies>
          <RunAsPolicy CodePackageRef="Code" UserRef="IntegrationServiceUser"  EntryPointType="Setup" />
        </Policies>
      </ServiceManifestImport>
      <DefaultServices>
             
        <Service Name="IntegrationService">
          <StatelessService ServiceTypeName="IntegrationServiceType" InstanceCount="[IntegrationService_InstanceCount]">
            <SingletonPartition />
          </StatelessService>
        </Service>
      </DefaultServices>
     <Principals>
          <Users>
            <User Name="IntegrationServiceUser" AccountType="DomainUser" AccountName="domain\username" Password="password" PasswordEncrypted="false" />
          </Users>                                                               
      </Principals>
     
      <Policies>
        <DefaultRunAsPolicy UserRef="IntegrationServiceUser" />
        <SecurityAccessPolicies>
          <SecurityAccessPolicy ResourceRef="IntegrationServiceTypeEndpoint" PrincipalRef="IntegrationServiceUser" GrantRights="Full" />
        </SecurityAccessPolicies>
      </Policies>
    </ApplicationManifest>
    =================================================================================================================================
    ServiceManifest.xml
    =================================================================================================================================
      
        <SetupEntryPoint>
          <ExeHost>
            <Program>Integration.API.exe</Program>
            <Arguments>--SelfHost</Arguments>
            <WorkingFolder>CodePackage</WorkingFolder>
            <ConsoleRedirection FileRetentionCount="5" FileMaxSizeInKb="2048"/>
          </ExeHost>
        </SetupEntryPoint>
       
        <EntryPoint>
          <ExeHost>
            <Program>Integration.API.exe</Program>
            <Arguments>--SelfHost</Arguments>
            <WorkingFolder>CodePackage</WorkingFolder>
             <ConsoleRedirection FileRetentionCount="5" FileMaxSizeInKb="2048"/>
          </ExeHost>
        </EntryPoint>
      </CodePackage>
     
      <ConfigPackage Name="Config" Version="1.0.0" />
      <Resources>
        <Endpoints>     
          <Endpoint Name="IntegrationServiceTypeEndpoint" Protocol="http" Type="Input" Port="17571"/>
        </Endpoints>
      </Resources>

    Travis

    Monday, November 14, 2016 7:55 PM

Answers

  • 1. Are you running local or in Azure?

    "By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Service Fabric also provides the capability to run applications under a local user account or local system account, which is specified within the application manifest. Supported local system account types are LocalUser, NetworkService, LocalService, and LocalSystem.+

    When you're running Service Fabric on Windows Server in your datacenter by using the standalone installer, you can use Active Directory domain accounts."

    2. Are you following steps in this link?

    "Configure security policies for your application"

    https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security


    Frank

    Sunday, November 20, 2016 4:16 PM

All replies

  • 1. Are you running local or in Azure?

    "By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Service Fabric also provides the capability to run applications under a local user account or local system account, which is specified within the application manifest. Supported local system account types are LocalUser, NetworkService, LocalService, and LocalSystem.+

    When you're running Service Fabric on Windows Server in your datacenter by using the standalone installer, you can use Active Directory domain accounts."

    2. Are you following steps in this link?

    "Configure security policies for your application"

    https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security


    Frank

    Sunday, November 20, 2016 4:16 PM
  • Did you actually resolve this issue? I am running into the same problem running a service as a domain user. My only solution has been to run the host service using a domain admin account which will not work for production. The links in the accepted "solution" are just to the documentation and don't provide a solution.

    Thanks,

    Ben


    • Edited by BWay01 Tuesday, June 6, 2017 3:00 PM
    Tuesday, June 6, 2017 2:52 PM