A while back, when I was first doing WCF development I ran into the following exception:
AddressAccessDeniedException: HTTP could not register URL http://+:8080/<…>. Your process does not have access rights to this namespace.
The exception message included a link to an MSDN article that explained the concept of HTTP Namespace Reservations. Unfortunately the page suggests using an outdated, and not very user friendly tool called HttpCfg.exe to set up the namespace reservations. Even more unfortunate is the fact that this tool requires the user to enter a Security Descriptor Definition Language (SDDL) string by hand. Now, while I do enjoy the fact that I can now consider myself a member of the relatively small club of people that can read and write SDDL strings, this was not something I was especially excited about taking time away from the project at hand to do. Unfortunately search for help on the internet yielded more hurt than help.
What Not To Do
Upon performing my internet search, I ran straight into Mark Michaelis' post Windows Communication Foundation with Windows Vista and UAC. Now, generally speaking, I like Mark a lot, and he post a lot of good stuff on his blog. However, I am ethically opposed to what he is suggesting in his blog. Adding a manifest to your app to force elevation in Windows Vista is absolutely not what you should do! If you have a web serivce that has to run as Administrator then you are doing something wrong. In fact I hope you aren't even running as an Administrator account when you're developing (although aparently the Visual Studio team doesn't agree with me).
What To Do
Option 1: If you're on Windows Vista, you can use netsh. Nicholas Allen has details on his blog, as does Kenny Wolf.
Option 2: If you're not on Vista, or you want to set permissions as part of the setup process, take a look at the source code Keith Brown has posted on his blog.
Option 3: If you want a GUI based on C# code similar to that on Keith's blog, with a more flexible SDDL object model, then check out my tool, HttpNamespaceManager.
HttpNamespaceManager
This is not an official Microsoft tool, and should be considered sample code (see disclaimer below).
HttpNamespaceManager is available as either source code or an executable (both are in the attached zip file). It is licensed under the creative commons attribution license and is free to use, modify, and redistribute for commercial or non-commercial purposes. The project is divided into an API for managing HTTP Namespaces, including an object model for ACLs and Security Descriptors, and a UI with automatic elevation in Windows Vista for operations that require administrative privledge.
Requires .Net Framework 3.0 to run. Visual Studio 2005 & .Net Framework 3.0 to build.
This screen shot shows the start page of the Http Namespace Manager. All of the actions (Add/Edit/Remove) require elevation. Double clicking an item is the same as clicking the Edit button. The Remove button removes the entry permanently and without confirmation, so use caution.
When the Add button is clicked an input box is displayed in which the HTTP Namespace URL should be entered.
When the Edit button is clicked the following dialog is displayed. You must select a user or group in the top half of the form in order to set the permissions for it.
Disclaimer
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Why does MS have this model for http.sys in the first place? You can bind a socket to an open port as a non-admin, you just can't use the Windows http code to do.
I can understand if your code is trying to use a port used by another application, and "hide" somewhere, i.e. http://server:80/secret/. But if you are doing a "full" bind to a port (i.e., "http://server:80/"), then it should treat it as the same as if you just bound a socket to that port (and not allow any other apps to access that port either). What am I missing here? The only thing I can think of is that some firewalls might not be able to figure out that Malware.exe is listening to port 8080 and not http.sys.
It is such a pain to have to deal with these ACLs. For WCF, we usually just don't use HTTP bindings (since netTcp doesn't have this issue). If we have to expose via HTTP outside of IIS, then yea, we make that app run as local admin. Sucks, but it's more manageable than having to make sure every machine (development, testing, staging, production) has these ACLs.
I agree that having to get these ACLs set up is a royal pain. Which is precisely why I posted this. I want to make it easier so that developers can do the "right thing" and not run as administrator. There are a lot of organizations where the run as admin requirement would be a deal killer. Does your project use an MSI for deployment to staging and production servers? How do you configure the service account in your deployments? If there were a standalone VBS script, or a custom action for an MSI to set the ACLs would you use it?
Personally I don't fully understand the rationale behind the HTTP reservation system, except that since http.sys does all multiple processes to bind to a single port with a different path, it makes some sense to allow applications to restrict who can use a particular URL. However I will forward your question on to some people and see if I can get you a more difinitive answer.
Feel free to shoot me an email. sflanker (at) hotmail (dot) com.
I'm on Windows Vista and i tryed to use you're tool but i get the same error. Any other methods to do that?
Nad now i get a SDDL string format exception
Thank you for posting this Paul!
Your HttpNamespaceManager tool let me get around a problem that's been blocking me from running a WCF project that I've been working on.
(Most of the project was developed on a machine running the dev environment as admin, but I ran into the access rights issue when I brought it into my more secured environment and was running visual studio as a regular user.)
Just a note to anyone else making us of the tool... I received unhandled exceptions trying to run the tool as an unprivileged user, but it worked fine when I ran is as an administrator (which makes perfect sense..).
Sergiu, I'm sorry you're having trouble getting the tool to work. I recommend you look at the source code to understand more of what's going on. Or you could send me a exception message/stack trace of the exception you're receiving and I can try and debug it. My email is sflanker (at) hotmail (dot) com.
-Paul
very interesting, but I don't agree with you
Idetrorce
Idetrorce, do you mind elaborating on what you don't agree with?
One time I was playing with some of the Hands-on-Labs of Visual Studio 2008 Training kit then I've
Just wanted to say Hello to everyone.
Much to read and learn here, I'm sure I will enjoy !
Yesterday I presented to one of my financial services customers in the city on an overview of what's
Your tool saved my day. I was getting "HttpSetServiceConfiguration completed with 87" when using httpcfg. I don't have a clue what "87" means... I wasn't even sure if this was a problem or not. With your tool, I easily added the missing url. Thanks!
Thanks so much for posting this - absolutely and without doubt saved me hours of work.
This Tool ROCKS!!!!! Saved me from pulling out my few remaining hairs. Thanks!
I ran your tool and got an exception in SecurityIdentityFromWellKnownSid with the call to LookupAccountSid returning a blank string. I'm running on Windows XP SP2.
I tried running the .exe you included in the .ZIP file as well as building and running under VS 2008.