 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / May 2008Trouble running .Net Service as LocalSystem
I have a C++ .Net Windows Service application that is deployed at several customer sites. The application starts, and works perfectly at all of the sites, except one. At one site the service will not start. They are running a Windows 2003 server. The error message is “Error 1053: The service did not respond to the start or control request in a timely fashion”. However, the service will start if I change the “Log on” account property from LocalSystem to the Admin account. This is the only site that I have to run the application under the Admin account. The customer does not want to run the service using the Admin account. In addition, a native C++ service application starts with no problems. I am guessing it is a .Net security setting. This site is more secure than the others, so I believe they may have changed some settings on the server. Is there a particular security setting that I need to update in order to get the service to run as LocalSystem? Update to my question: The application is signed with a Verisign ID. It appears that if we run an unsigned version of the application, the application starts and runs fine. The server with the problem is behind a proxy server. We would like to continue signing our code. Is there something we can update to fix this problem? > The application is signed with a Verisign ID. It appears that if we > run an unsigned version of the application, the application starts and > runs fine. The server with the problem is behind a proxy server. To determine whether the Authenticode signature is valid, the system needs to contact a Certificate Revocation List server. I guess LocalSystem doesn't have access to that CRL server (due to the proxy, or for another reason). In that case assembly loading is delayed, causing your service to exceed its allotted startup time. If you're on .NET 3.5, <generatePublisherEvidence> may come to the rescue (http://msdn.microsoft.com/en-us/library/bb629393.aspx). Otherwise, I would suggest looking into proxy permissions for LocalSystem. I think you can also disable CRL checking, but that's probably not a good idea for LocalSystem...  SignatureArnout. Nothing like following up to your own posts, but hey... >> The application is signed with a Verisign ID. It appears that if we >> run an unsigned version of the application, the application starts [quoted text clipped - 12 lines] > LocalSystem. I think you can also disable CRL checking, but that's > probably not a good idea for LocalSystem... I just found out that support for <generatePublisherEvidence> is also available as a hotfix for 2.0 (http://support.microsoft.com/kb/936707), and is part of 2.0 SP1. SignatureArnout. Thanks for your help. In addition to having a secure environment, this client also has three meetings before performing one test, so things take a while. You put me on the right path. I found this article about signed components failing when there is no network connectivity. It seems that the Service Manager does not allow enough time for the Authenticode code to timeout. After increasing the timeout value, we were able to start the service. http://support.microsoft.com/kb/941990 Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.