locked
Remote debugging tool as a service allowing certain users RRS feed

  • Question

  • We have a development server in our domain which hosts all of our applications and websites.

    For develoment, we would like to be able to remotely debug the application running in this environement as they might differ from our local testing setups. Therefore we use the remote debugging tool supplied by Microsoft.

    Running this tool as an application, we can add additional permissions for a certain group in our domain (the developers) to be able to connect to it remotely without a problem. These settings however are not persisted when the server is rebooted, the application is restarted or the user under which we run the tool logs off.

    Therefore we want to run the remote debugger as a service so we can always connect to it from our Visual Studio 2013 Professional. Running the tool as a services does not give us any problems, we cannot however connect to it under our own domain accounts. Loggin in as Administrator works perfectly but is not the desired method.

    I've searched the internet for hours trying to find a solution but I could not find any.

    The following question explains exactly what we want to achieve: http://stackoverflow.com/questions/12733406/vs2012-remote-debugging-without-an-administrator-account sadly, no answer was given.

    After searching further I discovered this post, which describes all commandline parameters that are possible: http://social.msdn.microsoft.com/Forums/vstudio/en-US/174c2039-b316-455a-800e-18c0d93b74bc/visual-studio-2010-remote-debugger-settings-dont-persist?forum=vsdebug

    The most interesting parameter here was the "/allow user_name" parameter, which would allow me to pass a user/group in the domain to be given trust for remote debugging. I could not however find a way to pass this parameter to the service that is created by the configuration wizard. I tried editing the given service to call "msvsmon.exe" directly with the same parameter list as the rdbgservice.exe call passes but this does not apear to work.

    C:\Program Files\Microsoft Visual Studio 12.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe /CHILDSERVER e8 "+:4018" {07C4B83C-3592-45E6-89F8-1889829605B7} 0x0 4019 e4 d4 d0 e0 /silent+ /servicemode+

    I am out of ideas, if anyone could guide me in a new direction, or provide me with a solution, it would be highly appreciated!

    Wednesday, June 4, 2014 12:52 PM

Answers

  • Hi,

    If you plan to run Remote Debugger as service, the account to run this service must meet these requirement:

    1. Account must have the 'logon as      service' privilege
    2. Account must be able to connect      'backwards' to the Visual Studio computer over the network. For this      reason, on a domain, its easiest if the service is running under Local      System, Network Service, or a domain account. 
    3. Account must have rights to debug the      target process. This means the service needs to either run under the same      account as the process to be debugged, or the service needs to run as an      administrator. 

    Now you want other developers to debug the app on remote machine using remote debug service, then other developers’ account must be administrator.

    It is by default. Running remote debugger as service really has many requirement compared to running it as app. If you want to make other developers debug the app with the service, currently you must give them administrator permission currently, there is no other way.

    Thanks,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Proposed as answer by Amanda Zhu Tuesday, June 10, 2014 5:45 AM
    • Marked as answer by Amanda Zhu Friday, June 13, 2014 2:04 AM
    Friday, June 6, 2014 10:58 AM

All replies

  • Hi,

    The option /allow user_name is used to give permissions to one person when the person want to debug your computer. If you want domain users run the service well, the user which the remote debugger service runs under must meet the following requirements:

    The user must be a member of the Administrators group to allow debugging of
    any process.

    The user must have network permissions so that the remote debugger can
    communicate with Visual Studio.

    The user must be granted the 'Log on as a service' privilege. This can be
    done with the 'Local Security Policy' administrative tool.

    For more information, please see: Error: The Visual Studio Remote Debugger service on the target computer cannot connect back to this computer

    I still suggest adding those users into Administrators group in order to remote debugging well.

    Best regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    • Edited by Amanda Zhu Thursday, June 5, 2014 10:01 AM edit
    Thursday, June 5, 2014 5:45 AM
  • Hi,

    I agree with everything you suggested, except for adding the debugging users to the administrators group. I do not want all developers to have full administrator privileges on the server running our applications.

    When running the remote debugger as an application, I have the possibility to allow other users/groups to connect to the remote debugger and this works perfectly. Why don't I have this option when running the remote debugger as a service? It just doesnt sound logical...

    Thursday, June 5, 2014 6:49 AM
  • Hi,

    Through further research, I found that running remote debugger service as an administrator is just a recommendation rather than a requirement.

    If you don’t want all developers to have full administrator permissions, you need meet the following requirements:

    1.Account must have the 'logon as service' privilege

    2.Account must be able to connect 'backwards' to the Visual Studio computer over the network. For this reason, on a domain, its easiest if the service is running under Local System, Network Service, or a domain account.  If you want to run it as a local account see: http://blogs.msdn.com/greggm/archive/2004/10/04/237519.aspx

    3.Account must have rights to debug the target process. This means the service needs to either run under the same account as the process to be debugged, or the service needs to run as an administrator. 

    For more information, reference:

    Visual Studio Remote Debugger Service user account requirements

    To grant Log on as a service rights, you can do these steps on your machine:

    Administrative Tools –> Local Security Policy;

    Security Settings\Local Policies\User Rights Assignment;

    Open Log on a service and add the user you want to configure.

    Best regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    • Edited by Amanda Zhu Thursday, June 5, 2014 10:13 AM edit
    Thursday, June 5, 2014 10:12 AM
  • Hi Zhu,

    I don't think this will help in my situation?

    I'm fine with running the remote debugger service as administrator so all processes can be debugged, but I want to allow all developers to be able to connect to the service under their own domain accounts, not using the administrator account, nor by adding them to the administrators group.

    Why is it that whe I run the remote debugger as an application I can just modify the permissions by adding an additional AD group to the allowed users, but this is impossible when running it as a service?

    The changes I make to the permissions when running it as an application are also not persisted, restarting the program resets all permissions to only the administrator group.

    Friday, June 6, 2014 9:15 AM
  • Hi,

    If you plan to run Remote Debugger as service, the account to run this service must meet these requirement:

    1. Account must have the 'logon as      service' privilege
    2. Account must be able to connect      'backwards' to the Visual Studio computer over the network. For this      reason, on a domain, its easiest if the service is running under Local      System, Network Service, or a domain account. 
    3. Account must have rights to debug the      target process. This means the service needs to either run under the same      account as the process to be debugged, or the service needs to run as an      administrator. 

    Now you want other developers to debug the app on remote machine using remote debug service, then other developers’ account must be administrator.

    It is by default. Running remote debugger as service really has many requirement compared to running it as app. If you want to make other developers debug the app with the service, currently you must give them administrator permission currently, there is no other way.

    Thanks,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Proposed as answer by Amanda Zhu Tuesday, June 10, 2014 5:45 AM
    • Marked as answer by Amanda Zhu Friday, June 13, 2014 2:04 AM
    Friday, June 6, 2014 10:58 AM