Access Windows Share under Network Service account

R

3

6

I have two computers with Windows Server 2003. One computer has some shared folders on the network, and the other has a Windows Service (written in C#, running under the Network Service account) that needs to access those shared folders.

The following code works fine as a logged-in user, but throws an exception when executed under the Network Service account.

File.WriteAllText(@"C:\temp\temp.txt", File.ReadAllLines(@"\\NetworkServer\Test\test.txt")[0]);

The exception message is Logon failure: unknown user name or bad password. How do I get this code to work under the Network Service account? Is it a setting in Windows Server 2003, or do I need to add some code to this to make it work?

Roeder answered 23/12, 2009 at 16:35 Comment(0)

G

3

On the network share, you'll need to add permissions for the "Network Service" account on the server running the service. While this will work, @nicholas points out that this may provide an overly broad group of users access to the share.

Another option, and in my opinion the better option, is to create a domain account and then give that account read/write permission on the share. Then you configure the service to "run as" the domain account with proper permissions.

Geaghan answered 23/12, 2009 at 16:38 Comment(4)

I ended up creating a new domain account, and that worked pretty well. – Roeder 24/12, 2009 at 15:7

I see this is somewhat of an ancient question (in overflow time), but wondered about that first suggestion: is it possible to add permissions from a local account, i.e., NETWORK SERVICE, from a different computer? Possibly this could be done by adding the Computer to the permissions list, but wouldn't this have the adverse effect of giving all users on that machine permission? – Elevenses 22/6, 2012 at 17:49

@Elevenses Yes, I believe so. Creating a domain account is, IMHO, the best way to go. I've edited to make that clear. – Geaghan 22/6, 2012 at 18:12

Network Service represents computer's account on the network and authenticates under computer's credentials. – Lobe 30/6, 2014 at 10:20

L

5

@Nate's answer is either incorrect or is unclear, as far as I can tell. It doesn't explain how Network Service authenticates on the network.

Network Service account has very limited privileges on a local system, it presents the computers's credentials on the network. So if you need to access a network resource (e.g. a network share) under Network Service account, you have to grant access to the computer's account where the service works.

Providing local Network Service account with access to a network resource won't work at all, you'll keep getting authentication / authorization errors.

See MDSN "NetworkService Account" reference.

Lobe answered 30/6, 2014 at 10:18 Comment(0)

G

3

On the network share, you'll need to add permissions for the "Network Service" account on the server running the service. While this will work, @nicholas points out that this may provide an overly broad group of users access to the share.

Another option, and in my opinion the better option, is to create a domain account and then give that account read/write permission on the share. Then you configure the service to "run as" the domain account with proper permissions.

Geaghan answered 23/12, 2009 at 16:38 Comment(4)

I ended up creating a new domain account, and that worked pretty well. – Roeder 24/12, 2009 at 15:7

I see this is somewhat of an ancient question (in overflow time), but wondered about that first suggestion: is it possible to add permissions from a local account, i.e., NETWORK SERVICE, from a different computer? Possibly this could be done by adding the Computer to the permissions list, but wouldn't this have the adverse effect of giving all users on that machine permission? – Elevenses 22/6, 2012 at 17:49

@Elevenses Yes, I believe so. Creating a domain account is, IMHO, the best way to go. I've edited to make that clear. – Geaghan 22/6, 2012 at 18:12

Network Service represents computer's account on the network and authenticates under computer's credentials. – Lobe 30/6, 2014 at 10:20

W

2

When the Network Service account attempts to access a share on a remote server, it authenticates on the network using the computer account. This account will be suffixed with $ (like servername$) when granted permission.

When the Network Service account attempts to access a share hosted on the SAME SERVER AS ITSELF, the computer account will NOT be able to grant the network service access. In this event, the Network Service built-in account will need to be granted access BOTH to the filesystem location AND the share permissions.

Basically, when you grant Network Service access to a share, it only will affect services running as that identity on the local machine. For remote machines, the computer account must be used, and the computer account cannot be used for granting access to local resources to Network Service.

Windom answered 24/4, 2020 at 4:31 Comment(0)

Recommended topics

Hot tags