AddressAccessDeniedException: HTTP could not register URL http://+:8080/<…>.

Published 04 May 07 03:04 PM | paulwh 

A while back, when I was first doing WCF development I ran into the following exception:

AddressAccessDeniedException: HTTP could not register URL http://+:8080/<…>.  Your process does not have access rights to this namespace.

The exception message included a link to an MSDN article that explained the concept of HTTP Namespace Reservations. Unfortunately the page suggests using an outdated, and not very user friendly tool called HttpCfg.exe to set up the namespace reservations. Even more unfortunate is the fact that this tool requires the user to enter a Security Descriptor Definition Language (SDDL) string by hand. Now, while I do enjoy the fact that I can now consider myself a member of the relatively small club of people that can read and write SDDL strings, this was not something I was especially excited about taking time away from the project at hand to do. Unfortunately search for help on the internet yielded more hurt than help.

What Not To Do

Upon performing my internet search, I ran straight into Mark Michaelis' post Windows Communication Foundation with Windows Vista and UAC. Now, generally speaking, I like Mark a lot, and he post a lot of good stuff on his blog. However, I am ethically opposed to what he is suggesting in his blog. Adding a manifest to your app to force elevation in Windows Vista is absolutely not what you should do! If you have a web serivce that has to run as Administrator then you are doing something wrong. In fact I hope you aren't even running as an Administrator account when you're developing (although aparently the Visual Studio team doesn't agree with me).

What To Do

Option 1: If you're on Windows Vista, you can use netsh. Nicholas Allen has details on his blog, as does Kenny Wolf.

Option 2: If you're not on Vista, or you want to set permissions as part of the setup process, take a look at the source code Keith Brown has posted on his blog.

Option 3: If you want a GUI based on C# code similar to that on Keith's blog, with a more flexible SDDL object model, then check out my tool, HttpNamespaceManager.

HttpNamespaceManager

This is not an official Microsoft tool, and should be considered sample code (see disclaimer below).

HttpNamespaceManager is available  as either source code or an executable (both are in the attached zip file). It is licensed under the creative commons attribution license and is free to use, modify, and redistribute for commercial or non-commercial purposes. The project is divided into an API for managing HTTP Namespaces, including an object model for ACLs and Security Descriptors, and a UI with automatic elevation in Windows Vista for operations that require administrative privledge.

Requires .Net Framework 3.0 to run. Visual Studio 2005 & .Net Framework 3.0 to build.

Http Namespace Manager

This screen shot shows the start page of the Http Namespace Manager. All of the actions (Add/Edit/Remove) require elevation. Double clicking an item is the same as clicking the Edit button. The Remove button removes the entry permanently and without confirmation, so use caution.

Http Namespace Manager - Add

When the Add button is clicked an input box is displayed in which the HTTP Namespace URL should be entered.

Http Namespace Manager - Edit

When the Edit button is clicked the following dialog is displayed. You must select a user or group in the top half of the form in order to set the permissions for it.

Disclaimer

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Attachment(s): HttpNamespaceManager.zip

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# MichaelGiagnocavo said on May 4, 2007 8:26 PM:

Why does MS have this model for http.sys in the first place? You can bind a socket to an open port as a non-admin, you just can't use the Windows http code to do.

I can understand if your code is trying to use a port used by another application, and "hide" somewhere, i.e. http://server:80/secret/. But if you are doing a "full" bind to a port (i.e., "http://server:80/"), then it should treat it as the same as if you just bound a socket to that port (and not allow any other apps to access that port either). What am I missing here? The only thing I can think of is that some firewalls might not be able to figure out that Malware.exe is listening to port 8080 and not http.sys.

It is such a pain to have to deal with these ACLs. For WCF, we usually just don't use HTTP bindings (since netTcp doesn't have this issue). If we have to expose via HTTP outside of IIS, then yea, we make that app run as local admin. Sucks, but it's more manageable than having to make sure every machine (development, testing, staging, production) has these ACLs.

# paulwh said on May 4, 2007 9:15 PM:

I agree that having to get these ACLs set up is a royal pain. Which is precisely why I posted this. I want to make it easier so that developers can do the "right thing" and not run as administrator. There are a lot of organizations where the run as admin requirement would be a deal killer. Does your project use an MSI for deployment to staging and production servers? How do you configure the service account in your deployments? If there were a standalone VBS script, or a custom action for an MSI to set the ACLs would you use it?

Personally I don't fully understand the rationale behind the HTTP reservation system, except that since http.sys does all multiple processes to bind to a single port with a different path, it makes some sense to allow applications to restrict who can use a particular URL. However I will forward your question on to some people and see if I can get you a more difinitive answer.

Feel free to shoot me an email. sflanker (at) hotmail (dot) com.

# Sergiu said on October 24, 2007 5:04 AM:

I'm on Windows Vista and i tryed to use you're tool but i get the same error. Any other methods to do that?

# Sergiu said on October 24, 2007 5:06 AM:

Nad now i get a SDDL string format exception

# Peter Bernier said on November 5, 2007 1:00 PM:

Thank you for posting this Paul!

Your HttpNamespaceManager tool let me get around a problem that's been blocking me from running a WCF project that I've been working on.

(Most of the project was developed on a machine running the dev environment as admin, but I ran into the access rights issue when I brought it into my more secured environment and was running visual studio as a regular user.)

Just a note to anyone else making us of the tool...  I received unhandled exceptions trying to run the tool as an unprivileged user, but it worked fine when I ran is as an administrator (which makes perfect sense..).

# paulwh said on December 9, 2007 9:30 PM:

Sergiu, I'm sorry you're having trouble getting the tool to work. I recommend you look at the source code to understand more of what's going on. Or you could send me a exception message/stack trace of the exception you're receiving and I can try and debug it. My email is sflanker (at) hotmail (dot) com.

-Paul

# Idetrorce said on December 15, 2007 6:58 AM:

very interesting, but I don't agree with you

Idetrorce

# paulwh said on December 16, 2007 2:51 PM:

Idetrorce, do you mind elaborating on what you don't agree with?

-Paul

# The Trainer said on March 3, 2008 11:07 AM:

One time I was playing with some of the Hands-on-Labs of Visual Studio 2008 Training kit then I&#39;ve

# Sensbachtal said on March 17, 2008 7:31 PM:

Just wanted to say Hello to everyone.

Much to read and learn here, I'm sure I will enjoy !

# Team Individualism said on March 26, 2008 7:56 PM:

Yesterday I presented to one of my financial services customers in the city on an overview of what's

# Rui Covelo said on April 4, 2008 12:08 PM:

Your tool saved my day. I was getting "HttpSetServiceConfiguration completed with 87" when using httpcfg. I don't have a clue what "87" means... I wasn't even sure if this was a problem or not. With your tool, I easily added the missing url. Thanks!

# Bob W said on June 10, 2008 2:25 PM:

Thanks so much for posting this - absolutely and without doubt saved me hours of work.

# Chris D said on July 3, 2008 7:32 PM:

This Tool ROCKS!!!!!  Saved me from pulling out my few remaining hairs.  Thanks!

# Chad Knudson said on August 4, 2008 10:39 AM:

I ran your tool and got an exception in SecurityIdentityFromWellKnownSid with the call to LookupAccountSid returning a blank string.  I'm running on Windows XP SP2.

I tried running the .exe you included in the .ZIP file as well as building and running under VS 2008.

# devidblein said on August 8, 2008 2:57 AM:

����������!

http://www.youtube.com/watch?v=WkjTeN6jGTk

# VistaSucks - Go Windows Server 2008 said on August 27, 2008 10:52 PM:

This tool works great on Windows Server 2008. Thanks for posting it.

# cruizer said on October 7, 2008 12:17 AM:

A project our team (in my employer) has been working on for a good number of months now makes extensive

# cruizer said on October 7, 2008 12:22 AM:

A project our team (in my employer) has been working on for a good number of months now makes extensive

# cruizer said on October 7, 2008 12:27 AM:

A project our team (in my employer) has been working on for a good number of months now makes extensive

# cruizer said on October 7, 2008 1:12 AM:

A project our team (in my employer) has been working on for a good number of months now makes extensive

# Pierre said on October 22, 2008 3:12 AM:

I was in an http Wcf endpoint hosted by a windows service scenario, stucked by the "HTTP could not register URL" error. Your post saved me.

It works great on XP sp2 and Win 2003.

Thank you.

# jester said on November 7, 2008 8:41 AM:

thanks bro'. great work. sorted me out straight away.

# Anonymous said on November 12, 2008 4:55 PM:

This tool doesn't work under vista with the user logged in as a non-administrator

# Fatih Boy said on November 19, 2008 4:29 PM:

Thanks for your tool. When i try to run your application i got "Invalid ACE String Format" exception.

So i just take a look at its source code. I would like to suggest following changes to make it culture invariant.

File : AccessControlEntry.cs

Line : 160

From : Regex aceRegex = new Regex(aceExpr, RegexOptions.IgnoreCase);

To   : Regex aceRegex = new Regex(aceExpr, RegexOptions.IgnoreCase|RegexOptions.CultureInvariant);

File : Program.cs

Line : 25

From : Regex actionRegex = new Regex(@"(-|--|/)(?'action'ad?d?|ed?i?t?|re?m?o?v?e?)", RegexOptions.IgnoreCase);

To   : Regex actionRegex = new Regex(@"(-|--|/)(?'action'ad?d?|ed?i?t?|re?m?o?v?e?)", RegexOptions.IgnoreCase|RegexOptions.CultureInvariant);

File : AccessControlList.cs

Line : 78

From : Regex aclRegex = new Regex(AccessControlList.aclExpr, RegexOptions.IgnoreCase);

To   : Regex aclRegex = new Regex(AccessControlList.aclExpr, RegexOptions.IgnoreCase|RegexOptions.CultureInvariant);

File : SecurityDescription

Line : 116

From : Regex sddlRegex = new Regex(SecurityDescriptor.sddlExpr, RegexOptions.IgnoreCase);

To   : Regex sddlRegex = new Regex(SecurityDescriptor.sddlExpr, RegexOptions.IgnoreCase|RegexOptions.CultureInvariant);

Feel free to contact. fatih (at) enterprisecoding (dot) com.

# Dani said on November 27, 2008 7:08 AM:

one thing I don't understand - my wizard created WCF project didn't need to use this tool, a service that I've created from scratch had this rights problem.

what MS do with the wizard that bypass this thing ?

# Anirban Chakladar|Blog said on December 29, 2008 12:48 PM:

While working with WCF services over HTTP you may come across this error: HTTP could not register URL

# Todd said on January 5, 2009 9:48 AM:

Awesome utility.  Saved a lot o hairs from being pulled from my head.

# Bus tickets said on March 6, 2009 10:24 PM:

Why are they making so complicated for following just one sample code from someone. Almost all samples from MSDN talk about http://loca:8000 and then everyone is hit by the same error and there is no easy way to fix it.

I tried to run your code on Windows XP3 and it is giving me Parameter is incorrect exception. It is letting me add the user, checks the box but once i click OK button it gives an exception.

Thanks,

# Thomasek said on March 31, 2009 9:23 AM:

Hello everybody,

thanks for a useful tool. I still get the "Parameter is incorrect" exception when trying to register an URL with containing star convention (e.g. http:///+.80/Test/). If I try to register a complete URI (http://localhost:80/Test/), the HttpNamespaceManager succeeds.

I'm running Windows XP SP3. Have you found a solution for this?

T

Thanks,

Tomas

# matt said on May 19, 2009 1:42 PM:

HttpSysConfig seems to be a better tool: smaller KBytes, fewer bugs and a better UI

If you use HttpNamespaceManager, don't delete all the entries! It screws the app up and you can't add any/it crashes upon startup

# matt said on May 19, 2009 1:44 PM:

@thomasek:

Your url:

http:///+.80/Test/

Has too many slashes after http and a period instead of a colon delimiting the host/port. Use HttpSysConfig instead; it's more guided

# Joel said on July 9, 2009 4:08 PM:

HttpSysConfig has a big advantage over the tool available on this page, it runs in Windows XP.

Leave a Comment

(required) 
(optional)
(required) 

About paulwh

I'm a Microsoft alumn since September 2007. At Microsoft I worked in the Connected Systems Division building applications using Windows Communication Foundation. I'm now working for a start up called Positronic in downtown Seattle.
Page view tracker