48

Is it possible for a self-hosted OWIN Web API to run under a non-administrator account? I have already tried dozens of url reservations and nothing works. The service fails to start with "Access is denied". It works when the account is added to the administrator role but I don't want that. Code below is running on Win 7 framework 4.5.2. 

//install-package microsoft.owin.hosting
//install-package Microsoft.Owin.Host.HttpListener

StartOptions options = new StartOptions();
options.Urls.Add("http://localhost:5000/");
//options.Urls.Add(string.Format("http://{0}:5000", Environment.MachineName));
//options.Urls.Add("http://+:5000/");
//options.Urls.Add("http://*:5000/");

using (WebApp.Start<WebAPISelfHostMinimal.Startup>(options))
{
    while (!Terminate)
    {
        await Task.Delay(10); //keep cpu from getting pegged
    }

    LogUtil.LogInfo("Terminating owin host.");
}

EDIT - this is running under a Windows account.

C:\>netsh http add urlacl http://+:5000/ user=mini2012\svcAPI

URL reservation successfully added

C:\>sc start apiservice
[SC] StartService FAILED 5:

Access is denied.

C:\>netsh http add urlacl http://*:5000/ user=mini2012\svcAPI

URL reservation successfully added

C:\>sc start apiservice
[SC] StartService FAILED 5:

Access is denied.

C:\>netsh http add urlacl http://localhost:5000/ user=mini2012\svcAPI

URL reservation successfully added

C:\>sc start apiservice
[SC] StartService FAILED 5:

Access is denied.
Colin Superdog
  • 684
  • 1
  • 5
  • 10
  • 1
    My service runs fine under "Local Service" account. When I switched to "Network Service" I started to get access denied. Tried many different options of netsh http add urlacl with a "+" sign - nothing worked. Only when I switched from "+" to "*" like so: netsh http add urlacl url=http://*:80/tms user="NT AUTHORITY\Network Service" did it finally work! Anybody knows the difference between the "*" and the "+" in this context? – Greg Z. Jun 12 '15 at 20:08

4 Answers4

18

It looks like the problem was with the URL reservation. I didn't need one. If there is a URL reservation, it will just prevent the owin host from starting with the access denied error. Also, the default port for owin host is 5000. If there is a "dead" process that is still running on that port, it will block your service from starting. To check you can run netstat -a -b at the command prompt.

viggity
  • 14,639
  • 7
  • 79
  • 91
Colin Superdog
  • 684
  • 1
  • 5
  • 10
  • 2
    The most important part of the answer is in the *EDIT* part of your question, i.e. changing the URL ACL. Why don't you put that part also in your answer. I'd upvote the edited answer, because that's really the interesting information in this Q&A – JotaBe Dec 22 '14 at 18:35
  • 5
    in my case it worked only if I registered the exact same url as I had it in the code that was `url=http://localhost:1981/` – t3chb0t Jun 04 '16 at 16:39
  • 1
    In my case, I add to run netsh http add urlacl url=http://+:8088/ user=MyUser AND provide the following parameter to the Start method: WebApp.Start("http://+:8088/") – Absolom Aug 29 '16 at 19:12
  • Key piece of information from the solution above in my case, was "If there is a URL reservation, it will just prevent the owin host from starting with the access denied error." I had created URL reservations for previous tests (not using OWIN), so my attempts to "fix" the reservation only created personal confusion; delete the reservation. Thanks viggity and Colin – Greg Terrell Aug 06 '17 at 17:38
  • Localhost seems to be a special case. You must add give specific permission to localhost even if you have added "http://+:8088". You must also add "http://localhost:8088" if that is what you have in your options settings. – Paul Apr 22 '20 at 22:53
5

Your service is running (most likely) under the LocalSystem (SYSTEM) account. This account is not in the Everyone security principal.

In short, to solve this, either make the namespace reservation for Anonymous Logon or change your service to run under the Network Service account which happens to be in the Everyone principal.

Third option is, of course, to create a new local/domain user, create the reservation for it and have the service run under this account. But then you'd have to worry about setting proper security permissions for it, so I'd go with one of the first two options.

Marcel N.
  • 13,120
  • 5
  • 43
  • 68
  • Thanks. I updated the question to note that a Windows account is required. – Colin Superdog Jul 27 '14 at 14:45
  • what about access denied happening in TFS, I enabled continuous integration and it fails because of this?, it runs fine on localhost making the changes above but I don't know how to make it run on tfs – General Electric Apr 21 '16 at 18:32
  • @JGEstevez: I don't know under which account TFS runs the service. Can you check? Must be the same issue, just a matter of finding out the account. – Marcel N. Apr 21 '16 at 18:37
  • @MarcelN. is the online TFS on Visual Studio Team Services, could it be the account of the developer who checked in the code? This is the error on the TFS log Assembly Initialization method API.Tests.Integration.Initialize.SetUp threw exception. System.Reflection.TargetInvocationException: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.HttpListenerException: Access is denied. Aborting test execution. – General Electric Apr 21 '16 at 18:51
3

Run this command line under admin

netsh http add urlacl url=http://*:8080/ user=MyUser

Sergii Lebid
  • 43
  • 4
-1

For someone who is looking for a solution and didn't read the text.

The solution is to run visual studio as administrator.

Mo D Genesis
  • 2,621
  • 1
  • 13
  • 25
  • 1
    That's not a solution, it's a workaround. If this was a winforms app then the app would need to be run in admin all the time. Same with a console app, and even services if they are run under a specific account. – Tony Cheetham Mar 24 '21 at 14:42
  • You could have the api running on another computer / program instance which runs it as administrator. But if you want them mixed together then another solution is required. – Mo D Genesis Mar 25 '21 at 08:20
  • The original question was how to run it as non-admin, so "just run as admin" is not answer. – Nick Apr 13 '21 at 10:22