DPAPI Service Start access is denied

[Martin]

Hi,

Following the procedures for "How To:Use DPAPI (User Store) from ASP.NET
with Enterprise Services" from Building Secure ASP NET Applciations pdf,
after installing the service, I try to start it, but get the error
"Services - Could not start the DPAPI Service server on Local Computer.
Error 5: Access is denied".

My OS is Windows XP Pro. The local account configured to run this service
has "Log on as a batch job" and "Log on locally" user rights as per the
instructions.

What's the problem?

Quick answer required, please

Thanks
Martin

 

[Martin]

It works if I make the local dpapi account a member of local administrators,
so there's nothing wrong with the code. I guess this is another security
policy I need to set, but don't know which one.

????

Martin

 

[Nicole Calinoiu]

I cannot reproduce the problem under Windows XP SP2. A few questions:

1. Have you deviated in any way from the procedure described in that
document?
2. Of what group(s) is the local account a member?
3. Is this happening on your dev machine or another machine on which you've
installed the service?
4. Prior to attempting to start the service, did you log on with the
account credentials in order to create a profile for it?

 

[Martin]

Hi Nicole,

Please see my answers below. I am using Windows XP Sp1. Is there a way I
can further detail on what acces is being to denied to what resource?

Thanks for your help
Martin

I cannot reproduce the problem under Windows XP SP2. A few questions:

1. Have you deviated in any way from the procedure described in that
document?

I don't believe so, but how can I be sure? As I say the code works if the
account is in local admins.

2. Of what group(s) is the local account a member? Users

3. Is this happening on your dev machine or another machine on which you've
installed the service?

My dev machine

4. Prior to attempting to start the service, did you log on with the
account credentials in order to create a profile for it?

Yes, but i didn't stay logged on very long. How can I show that the profile
is created? C:\Documents and Settings has a local sub dir for this user.

 

[Nicole Calinoiu]

Martin,

If you've really followed the steps properly, then I'm a bit stumped. Here
are a few things to try:

1. Check if the user you want to use to launch the service actually has
permissions to run the service executable and the DLLs. If not, adjust the
ACLs to allow this.

2. If #1 doesn't help, turn on audit logging of all access failures. To do
this, launch the "Local Security Settings" mmc, then ensure that failure
audit logging is enabled for every policy under Security Settings\Local
Policies\Audit Policy. Once this is done, try launching the service again,
then check the event log to see if any failures were logged due to the
attempt.

3. If #1 doesn't help, the only thing I can think of is to start over from
scratch (new VStudio projects, new user, etc.) to ensure that you are
actually following the procedure exactly.

HTH,
Nicole

 

[Martin]

Nicole,

My local account didn't have access to the dlls and exe. The basic service
runs now I have given the account read and execute permissions. I haven't
done any other testing or completed the last steps of the how to yet, but I
am over that hurdle.

Thanks very much for yoiur help.

Martin