| Author |
Message |
Peter Steele
Guest
|
 Posted:
Sat Dec 18, 2004 1:32 am Post subject:
How can two services run under same user context? |
|
|
I have two services, both configured to run under the user 'admin'. One
service mounts a network drive and maps it to drive Z. After doing this, the
second service cannot access this drive, even though both are configured to
run under the same account. Is there a way to have both services share the
same security context so that both services have access to the network
mounts the other establishes? |
|
| Back to top |
|
 |
Peter Steele
Guest
|
| Posted:
Sat Dec 18, 2004 4:30 am Post subject:
Re: How can two services run under same user context? |
|
|
A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear that I
cannot do what I want to do unless I explicitly authenticate the network
connections in each service. Not the answer I was hoping for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
| Quote: | I have two services, both configured to run under the user 'admin'. One
service mounts a network drive and maps it to drive Z. After doing this,
the second service cannot access this drive, even though both are
configured to run under the same account. Is there a way to have both
services share the same security context so that both services have access
to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Dec 18, 2004 10:43 am Post subject:
Re: How can two services run under same user context? |
|
|
It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
| Quote: | A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear that I
cannot do what I want to do unless I explicitly authenticate the network
connections in each service. Not the answer I was hoping for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'. One
service mounts a network drive and maps it to drive Z. After doing this,
the second service cannot access this drive, even though both are
configured to run under the same account. Is there a way to have both
services share the same security context so that both services have access
to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Peter Steele
Guest
|
| Posted:
Mon Dec 20, 2004 10:26 pm Post subject:
Re: How can two services run under same user context? |
|
|
Okay, I understand this now. What I'm puzzled about is why this fails when
the processes are launched as services but it works when the processes run
as normal applications. More specifically, if I have a service running under
user admin and map a network drive, my other service *does not* have access
to that drive, as the article I found explains. If on the other hand I
launch the processes as normal applications instead of services while logged
in as user admin, when one process maps a drive the other process *does*
have access to it, even though it is not a child of the process that maps
the drive. In fact, my interactive session also has access to the mapped
drive. What's the explanation for this? Do all these processes share the
same process space when launched interactively in this manner?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:e$UCpwL5EHA.208@TK2MSFTNGP12.phx.gbl...
| Quote: | It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear that I
cannot do what I want to do unless I explicitly authenticate the network
connections in each service. Not the answer I was hoping for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'. One
service mounts a network drive and maps it to drive Z. After doing this,
the second service cannot access this drive, even though both are
configured to run under the same account. Is there a way to have both
services share the same security context so that both services have
access to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Bob McCoy [MSFT]
Guest
|
| Posted:
Tue Dec 21, 2004 12:26 am Post subject:
Re: How can two services run under same user context? |
|
|
Roger said it most eloquently when he said, "It is not a sharing of security
context (aka same account) that is
important here but that they share the same process/job space." It's not
the particular process, but the process space. In the case of when you
"launch the processes as normal applications" they do share the same process
space. Think of it this way -- the apps that you are running are child
processes of your interactive session where the environmental variables such
as mapped drives are shared information and available to all processes in
that space.
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
"Peter Steele" <psteele@z-force.com> wrote in message
news:uBNUPCr5EHA.828@TK2MSFTNGP14.phx.gbl...
| Quote: | Okay, I understand this now. What I'm puzzled about is why this fails when
the processes are launched as services but it works when the processes run
as normal applications. More specifically, if I have a service running
under user admin and map a network drive, my other service *does not* have
access to that drive, as the article I found explains. If on the other
hand I launch the processes as normal applications instead of services
while logged in as user admin, when one process maps a drive the other
process *does* have access to it, even though it is not a child of the
process that maps the drive. In fact, my interactive session also has
access to the mapped drive. What's the explanation for this? Do all these
processes share the same process space when launched interactively in this
manner?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:e$UCpwL5EHA.208@TK2MSFTNGP12.phx.gbl...
It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear that
I cannot do what I want to do unless I explicitly authenticate the
network connections in each service. Not the answer I was hoping for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'. One
service mounts a network drive and maps it to drive Z. After doing this,
the second service cannot access this drive, even though both are
configured to run under the same account. Is there a way to have both
services share the same security context so that both services have
access to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Peter Steele
Guest
|
| Posted:
Tue Dec 21, 2004 4:58 am Post subject:
Re: How can two services run under same user context? |
|
|
I understand what you are saying, but if I open two command shells from my
interactive session and define new environment variables in one of the
sessions, these new environment variables are not available in the other
command shell. However, if I do a "net use x: ..." command, the drive that
is mounted is available to both. This is what puzzles me. If the command
shells share the same process space, shouldn't the environment variables be
available to both and not just the drive mappings?
"Bob McCoy [MSFT]" <bobmccoy@online.microsoft.com> wrote in message
news:eMs5BGs5EHA.1404@TK2MSFTNGP11.phx.gbl...
| Quote: | Roger said it most eloquently when he said, "It is not a sharing of
security context (aka same account) that is
important here but that they share the same process/job space." It's not
the particular process, but the process space. In the case of when you
"launch the processes as normal applications" they do share the same
process space. Think of it this way -- the apps that you are running are
child processes of your interactive session where the environmental
variables such as mapped drives are shared information and available to
all processes in that space.
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
"Peter Steele" <psteele@z-force.com> wrote in message
news:uBNUPCr5EHA.828@TK2MSFTNGP14.phx.gbl...
Okay, I understand this now. What I'm puzzled about is why this fails
when the processes are launched as services but it works when the
processes run as normal applications. More specifically, if I have a
service running under user admin and map a network drive, my other
service *does not* have access to that drive, as the article I found
explains. If on the other hand I launch the processes as normal
applications instead of services while logged in as user admin, when one
process maps a drive the other process *does* have access to it, even
though it is not a child of the process that maps the drive. In fact, my
interactive session also has access to the mapped drive. What's the
explanation for this? Do all these processes share the same process space
when launched interactively in this manner?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:e$UCpwL5EHA.208@TK2MSFTNGP12.phx.gbl...
It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear that
I cannot do what I want to do unless I explicitly authenticate the
network connections in each service. Not the answer I was hoping for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'. One
service mounts a network drive and maps it to drive Z. After doing
this, the second service cannot access this drive, even though both are
configured to run under the same account. Is there a way to have both
services share the same security context so that both services have
access to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Tue Dec 21, 2004 5:16 am Post subject:
Re: How can two services run under same user context? |
|
|
Environment variables obey different rules.
When you ran the two interactively within a single login,
it is the logged in context that acquired the mapping when
one of the process mapped the drive - hence the interactive
login and the other "service" could see the mapping.
Environment variable work such that a child cmd gets its
parents variable space, and can add its own values (which
the parent does not get, but any child cmd will).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:OiRdOdu5EHA.3124@TK2MSFTNGP11.phx.gbl...
| Quote: | I understand what you are saying, but if I open two command shells from my
interactive session and define new environment variables in one of the
sessions, these new environment variables are not available in the other
command shell. However, if I do a "net use x: ..." command, the drive that
is mounted is available to both. This is what puzzles me. If the command
shells share the same process space, shouldn't the environment variables be
available to both and not just the drive mappings?
"Bob McCoy [MSFT]" <bobmccoy@online.microsoft.com> wrote in message
news:eMs5BGs5EHA.1404@TK2MSFTNGP11.phx.gbl...
Roger said it most eloquently when he said, "It is not a sharing of
security context (aka same account) that is
important here but that they share the same process/job space." It's not
the particular process, but the process space. In the case of when you
"launch the processes as normal applications" they do share the same
process space. Think of it this way -- the apps that you are running are
child processes of your interactive session where the environmental
variables such as mapped drives are shared information and available to
all processes in that space.
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
"Peter Steele" <psteele@z-force.com> wrote in message
news:uBNUPCr5EHA.828@TK2MSFTNGP14.phx.gbl...
Okay, I understand this now. What I'm puzzled about is why this fails
when the processes are launched as services but it works when the
processes run as normal applications. More specifically, if I have a
service running under user admin and map a network drive, my other
service *does not* have access to that drive, as the article I found
explains. If on the other hand I launch the processes as normal
applications instead of services while logged in as user admin, when one
process maps a drive the other process *does* have access to it, even
though it is not a child of the process that maps the drive. In fact, my
interactive session also has access to the mapped drive. What's the
explanation for this? Do all these processes share the same process
space when launched interactively in this manner?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:e$UCpwL5EHA.208@TK2MSFTNGP12.phx.gbl...
It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear
that I cannot do what I want to do unless I explicitly authenticate
the network connections in each service. Not the answer I was hoping
for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'.
One service mounts a network drive and maps it to drive Z. After doing
this, the second service cannot access this drive, even though both
are configured to run under the same account. Is there a way to have
both services share the same security context so that both services
have access to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Peter Steele
Guest
|
| Posted:
Tue Dec 21, 2004 10:08 pm Post subject:
Re: How can two services run under same user context? |
|
|
One final question:
Is there anyway to see the mounts a service has made from an interactive
session? I don't mean to use them but just to get the list in the same way
as I would do with "net use".
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%23P6a1nu5EHA.3236@TK2MSFTNGP15.phx.gbl...
| Quote: | Environment variables obey different rules.
When you ran the two interactively within a single login,
it is the logged in context that acquired the mapping when
one of the process mapped the drive - hence the interactive
login and the other "service" could see the mapping.
Environment variable work such that a child cmd gets its
parents variable space, and can add its own values (which
the parent does not get, but any child cmd will).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:OiRdOdu5EHA.3124@TK2MSFTNGP11.phx.gbl...
I understand what you are saying, but if I open two command shells from my
interactive session and define new environment variables in one of the
sessions, these new environment variables are not available in the other
command shell. However, if I do a "net use x: ..." command, the drive that
is mounted is available to both. This is what puzzles me. If the command
shells share the same process space, shouldn't the environment variables
be available to both and not just the drive mappings?
"Bob McCoy [MSFT]" <bobmccoy@online.microsoft.com> wrote in message
news:eMs5BGs5EHA.1404@TK2MSFTNGP11.phx.gbl...
Roger said it most eloquently when he said, "It is not a sharing of
security context (aka same account) that is
important here but that they share the same process/job space." It's
not the particular process, but the process space. In the case of when
you "launch the processes as normal applications" they do share the same
process space. Think of it this way -- the apps that you are running
are child processes of your interactive session where the environmental
variables such as mapped drives are shared information and available to
all processes in that space.
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
"Peter Steele" <psteele@z-force.com> wrote in message
news:uBNUPCr5EHA.828@TK2MSFTNGP14.phx.gbl...
Okay, I understand this now. What I'm puzzled about is why this fails
when the processes are launched as services but it works when the
processes run as normal applications. More specifically, if I have a
service running under user admin and map a network drive, my other
service *does not* have access to that drive, as the article I found
explains. If on the other hand I launch the processes as normal
applications instead of services while logged in as user admin, when
one process maps a drive the other process *does* have access to it,
even though it is not a child of the process that maps the drive. In
fact, my interactive session also has access to the mapped drive.
What's the explanation for this? Do all these processes share the same
process space when launched interactively in this manner?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:e$UCpwL5EHA.208@TK2MSFTNGP12.phx.gbl...
It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
A better subject would have been "How can two services access the same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear
that I cannot do what I want to do unless I explicitly authenticate
the network connections in each service. Not the answer I was hoping
for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'.
One service mounts a network drive and maps it to drive Z. After
doing this, the second service cannot access this drive, even though
both are configured to run under the same account. Is there a way to
have both services share the same security context so that both
services have access to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Wed Dec 22, 2004 7:38 am Post subject:
Re: How can two services run under same user context? |
|
|
I believe that you would need to write the code in the service
so that you could signal it and receive the information in its
response, and, depending on how you do that you may have to
config the service to be allowed to interact with the desktop
which in general is not a preferred config for a service.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Peter Steele" <psteele@z-force.com> wrote in message
news:OnBH$c35EHA.1632@tk2msftngp13.phx.gbl...
| Quote: | One final question:
Is there anyway to see the mounts a service has made from an interactive
session? I don't mean to use them but just to get the list in the same way
as I would do with "net use".
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%23P6a1nu5EHA.3236@TK2MSFTNGP15.phx.gbl...
Environment variables obey different rules.
When you ran the two interactively within a single login,
it is the logged in context that acquired the mapping when
one of the process mapped the drive - hence the interactive
login and the other "service" could see the mapping.
Environment variable work such that a child cmd gets its
parents variable space, and can add its own values (which
the parent does not get, but any child cmd will).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:OiRdOdu5EHA.3124@TK2MSFTNGP11.phx.gbl...
I understand what you are saying, but if I open two command shells from
my
interactive session and define new environment variables in one of the
sessions, these new environment variables are not available in the other
command shell. However, if I do a "net use x: ..." command, the drive
that
is mounted is available to both. This is what puzzles me. If the command
shells share the same process space, shouldn't the environment variables
be available to both and not just the drive mappings?
"Bob McCoy [MSFT]" <bobmccoy@online.microsoft.com> wrote in message
news:eMs5BGs5EHA.1404@TK2MSFTNGP11.phx.gbl...
Roger said it most eloquently when he said, "It is not a sharing of
security context (aka same account) that is
important here but that they share the same process/job space." It's
not the particular process, but the process space. In the case of
when
you "launch the processes as normal applications" they do share the
same
process space. Think of it this way -- the apps that you are running
are child processes of your interactive session where the
environmental
variables such as mapped drives are shared information and available
to
all processes in that space.
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
"Peter Steele" <psteele@z-force.com> wrote in message
news:uBNUPCr5EHA.828@TK2MSFTNGP14.phx.gbl...
Okay, I understand this now. What I'm puzzled about is why this fails
when the processes are launched as services but it works when the
processes run as normal applications. More specifically, if I have a
service running under user admin and map a network drive, my other
service *does not* have access to that drive, as the article I found
explains. If on the other hand I launch the processes as normal
applications instead of services while logged in as user admin, when
one process maps a drive the other process *does* have access to it,
even though it is not a child of the process that maps the drive. In
fact, my interactive session also has access to the mapped drive.
What's the explanation for this? Do all these processes share the
same
process space when launched interactively in this manner?
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:e$UCpwL5EHA.208@TK2MSFTNGP12.phx.gbl...
It is not a sharing of security context (aka same account) that is
important here but that they share the same process/job space.
One service would need to have spawned off the other for this.
(or share access to the same share as per separate mappings
by each service as you have indicated).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Peter Steele" <psteele@z-force.com> wrote in message
news:uq34dfI5EHA.2580@TK2MSFTNGP10.phx.gbl...
A better subject would have been "How can two services access the
same
network drive?". This problem is described here:
http://support.microsoft.com/kb/149984/EN-US/
and unless something has changed since Windows NT, it would appear
that I cannot do what I want to do unless I explicitly authenticate
the network connections in each service. Not the answer I was
hoping
for...
"Peter Steele" <psteele@z-force.com> wrote in message
news:O$EuE8G5EHA.1564@TK2MSFTNGP09.phx.gbl...
I have two services, both configured to run under the user 'admin'.
One service mounts a network drive and maps it to drive Z. After
doing this, the second service cannot access this drive, even
though
both are configured to run under the same account. Is there a way
to
have both services share the same security context so that both
services have access to the network mounts the other establishes?
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in