Vista and Http services

Vista is coming soon, and one of its new security features bears special mention due to its effect on the execution of Http-based services. User Account Control is a new feature that will have many former administrators running as a “standard user” by default. Running as a non-admin, developers can hit a permissions issue when opening an Http standalone service:

AddressAccessDeniedException: HTTP could not register URL http://+:80/myService/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).

That is because http.sys restricts the root namespace (i.e. “/”) to administrators only. By using the http.sys namespace security mechanism, you can delegate portions of the global namespace to be accessible by different groups (i.e. all local Users, Power Users, a single user such as REDMONDkennyw, etc). Traditionally this security integration would be done by your setup program at install time.

System.Net does not currently expose any managed APIs to manipulate http.sys security reservations, but Keith has posted some sample code on using these APIs from managed code.

In addition, on Vista administrators also have access to a brand new netsh extension. This extension is very useful for both diagnostics and configuration issues such as namespace delegation. It also takes care of simple SDDL conversion, so you can now have commands such as:

netsh http add urlacl url=http://+:80/myService user=DOMAINuser

Rather than having to use oh so readable SSID strings like D:(A;;GX;;;S-1-5-20).

Note that your code which is running either the netsh extension or the configuration APIs needs to be running under an administrator account in order to setup this reservation. Once the reservation (ACL delegation) has been made, future registrations (usages) of your URI can occur while running under any account that was authorized by the reservation.

11 thoughts on “Vista and Http services

  1. Pingback: Johan Lindfors : WCF-”hosts” på Windows Vista med UAC

  2. Pingback: Windows Core Networking : URLACL Setting Day

  3. steve

    I bought this book titled Microsoft Windows Communication Foundation Step by Step and in the second chapter when I run the application I get error and exceptions, shown below, about the service not being able to connect to tcp and http settings in the localhost:/8000 and 8080 set in the config file. Can you tell me what I have to do to get this to work. I emailed the help support referenced in the book about a month ago, but as usual it was a microsoft email address for support and emailing them is usually a waste of time. I have better luck emailing a dead person.
    THanks
    Steve

    The HttpGetEnabled property of ServiceMetadataBehavior is set to true and the HttpGetUrl property is a relative address, but there is no http base address. Either supply an http base address or set HttpGetUrl to an absolute address.
    “The HttpGetEnabled property of ServiceMetadataBehavior is set to true and the HttpGetUrl property is a relative address, but there is no http base address. Either supply an http base address or set HttpGetUrl to an absolute address.”}

    HTTP could not register URL http:// :8000/ProductsService/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).

    HTTP could not register URL http:// :8000/ProductsService/ProductsService.svc/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).-

    $exception {“Could not connect to net.tcp://localhost:8080/TcpProductService. The connection attempt lasted for a time span of 00:00:01.9970000. TCP error code 10061: No connection could be made because the target machine actively refused it. “} System.Exception {System.ServiceModel.EndpointNotFoundException}

    Reply
  4. Kenny

    Steve, have you used netsh to allow your account access to this URL space? One easy way to test out this theory is to run your processes as elevated admin. If it works then the issue is as simple as a missing http.sys reservation (details of establishing one are in the above post)

    Reply
  5. steve

    Ken
    Thanks for your response. I am logged into Window’s Vista as admin. How exactly to I run a process from Visual Studio as an elevated admin process?
    I will try the posting from above and see what happens. I guess I need to know what API’s methods that I need call to from code to set the ability of the operating system that will allow me run a service and connect to it and not obtain the exceptions as I shown. If anyone knows a C# progect that has the code to do this could you leave me a website to download or emal it to me at stevensrf1@inbox.com
    thanks

    Reply
  6. Jaitley

    Steve, I faced the similar issue and using the httpGetUrl=”http://localhost:8000/ProductsService/ProductsService.svc” in the servicemetadata for the behavior did the trick for me.

    Thanks

    Reply
  7. Bruce

    Question:

    Attempted to register my URL

    netsh http add urlacl url=http://+:8000/HelloIndigo user=Ultimate-PCJason

    Received the following error:

    Url reservations add failed, Error: 5
    The requested operation requires elevation

    user Ultimate-PCJason has Administrator privilages.

    Not sure what else do I need. Please advise

    Thank you
    Bruce

    Reply
  8. Roblom

    Bruce: I had the same problem.
    I fixed it by (doing what this blogpost says) running the netsh command as administrator, you can do that by (not just starting the command prompt but) right-clicking on the command prompt icon and selecting “Run as Administrator”, then try again 🙂

    /Robert

    Reply
  9. Pingback: Developing for MindTouch Vista/Win7 style « MindTouch Developer Blog

Leave a Reply to steve Cancel reply

Your email address will not be published. Required fields are marked *