Access Rights configuration for endpoints

Release 1.0 - ...

Note: As of version 1.2 the access rights configuration for endpoints has been integrated within the Set Site Security tool which can be found in the Config Editor.

The following instructions are only applicable for pre Smartsite iXperion version 1.2:
By default, the WCF endpoints will be started using the current's Thread identity, which would be the Network Service account (the configured application pool identity) when you use the recommended settings. And, also by default, this account does not have sufficient access rights to start http listeners. It is therefore necessary to add URL ACL combinations to the urlacl store. Or, in other terms, you need to configure namespace reservations.

Namespace reservation assigns the rights for a portion of the HTTP URL namespace to a particular group of users. A reservation gives those users the right to create services that listen on that portion of the namespace. Reservations are URL prefixes, meaning that the reservation covers all sub-paths of the reservation path.

When the site has started, you can verify if the Network Service account (or any other account you're using) has sufficient access rights by requesting an item which contains the env.servicesinfo() viper. This viper displays an overview of the configured services and its endpoints. When WCF fails to start/open an endpoint, e.g. because of insufficient access rights, the viper mentioned will display the reason why it failed to open an endpoint.

When insufficient access rights are the case, the viper will display a message like:

HTTP could not register URL http://+:8001/test6/InteropService/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).

Granting access rights

The easiest way to grant access rights (or in other words, add namespace reservations) to specific accounts is using the HTTP Configuration Utility (httpcfg.exe), which is part of Microsoft's Windows Support Tools.

Use the httpcfg.exe set urlacl command to change namespace reservations. Modifying the reservation rights for a portion of the namespace requires either administrative privileges or ownership of that portion of the namespace. Initially, the entire HTTP namespace belongs to the local administrator.

The following shows the syntax of the Httpcfg command with the set urlacl option:

  CopyCode image Copy Code
httpcfg set urlacl /u {http://URL:Port/ | https://URL:Port/} /aACL

The /u parameter is required when using set urlacl. It takes a string that contains a fully-qualified URL that serves as the record key for the reservation being made.

The /a parameter is also required when using set urlacl. It takes a string that contains an Access Control List (ACL) in the form of a Security Descriptor Definition Language (SDDL) string.

For example, to add a so-called namespace reservation for all WCF http endpoints on port 8001 for site test6 for the Network Service account you would need to run the following command:

  CopyCode image Copy Code
httpcfg set urlacl /u http://+:8001/test6/ /a "D:(A;;GX;;;NS)"

(NS in the last string refers the Network Service account.)

Overview of namespace reservations

To get an overview of namespace reservations (a.k.a. granted access rights) use the following command:

  CopyCode image Copy Code
httpcfg query urlacl

Removing access rights/namespace reservations

To remove a namespace reservation (as example the address which has been added previously) use the command:

  CopyCode image Copy Code
httpcfg delete urlacl /u http://+:8001/test6/

RC1

Release Candidate 1 uses the configured application user to start the services. This is the user with loginname "system" as specified within the smartsiteaccounts section of the Smartsite.Security.config configuration file.

Usually, the system user is bound to the Administrator userrole, and through this role you should configure a windows account which will be impersonated.

This windows account must have sufficient access rights to start the WCF endpoint http listeners. The easiest way to achieve this (but definitely not the most secure), is to add the configured windows account to the local Administrators group.

Another option is to use the httpcfg utility as described above, however you would then need to construct a SDDL string for the configured windows account . Specifically, you would need to determine the SID - Security Identifier - for the impersonated windows account, since you probably only want to replace the NS-part within the SDDL string, which refers to the Network Service account.

You can use the script shown below to retrieve the SID for a specific account.

  CopyCode image Copy Code
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
    ("Win32_UserAccount.Name='accountname',Domain='domain'") 
Wscript.Echo objAccount.SID

To retrieve the SID for a local account, just fill in the computer name as domain.