Enabling Port Sharing on a DC requires Admin privileges?

Hi,

We have a WCF service that uses port sharing through the Net.Tcp Port
Sharing Service. This works well on non-DC computers when the WCF service is
run as a non-Domain Admin user. When we run the WCF service on a DC, we find
that the user running the service has to be a member of the Domain Admins
group to run successfully. If the service runs as a non-Domain Admin user
then this only works when Port Sharing is not used.

The error message we get when trying to use port sharing as a non-Domain
Admin is:
FATAL Exception: The TransportManager failed to listen on the supplied Uri
using the NetTcpPortSharing service: failed to read the service's endpoint
(5).

The Net.Tcp Port Sharing Service is running as Local Service (the default).
We're assuming that somehow, on a DC, the Net.Tcp service is unable to assign
the pass the endpoint over to the WCF service unless the WCF service is a
Domain Admin.

We really don't want the WCF service to have to run as a member of Domain
Admins. Is there some permission or policy we need to set to allow port
sharing for services that aren't running with Domain Admin privilege?

Thanks,

Corvil Howells
Telvent

So I've found the solution through other channels. For those who have the
same problem:

- Edit C:\WINDOWS\WinFX\v3.0\Windows Communication
Foundation\SMSvcHost.exe.config and add the following config section:

<configuration>
<system.serviceModel.activation>
<net.tcp>
<allowAccounts>
<add securityIdentifier="S-1-5-your sid here"/>
</allowAccounts>
</net.tcp>
</system.serviceModel.activation>
.....
</configuration>

Basically, replace "S-1-5-your sid here" with the SID of the non-domain
admin group/user that you want to be able to use for running the WCF service
on the DC.

This seemed to work fine for us.

Corvil Howells
Telvent

"TelventRTD" wrote:

> Hi,
>
> We have a WCF service that uses port sharing through the Net.Tcp Port
> Sharing Service. This works well on non-DC computers when the WCF service is
> run as a non-Domain Admin user. When we run the WCF service on a DC, we find
> that the user running the service has to be a member of the Domain Admins
> group to run successfully. If the service runs as a non-Domain Admin user
> then this only works when Port Sharing is not used.
>
> The error message we get when trying to use port sharing as a non-Domain
> Admin is:
> FATAL Exception: The TransportManager failed to listen on the supplied Uri
> using the NetTcpPortSharing service: failed to read the service's endpoint
> (5).
>
> The Net.Tcp Port Sharing Service is running as Local Service (the default).
> We're assuming that somehow, on a DC, the Net.Tcp service is unable to assign
> the pass the endpoint over to the WCF service unless the WCF service is a
> Domain Admin.
>
> We really don't want the WCF service to have to run as a member of Domain
> Admins. Is there some permission or policy we need to set to allow port
> sharing for services that aren't running with Domain Admin privilege?
>
> Thanks,
>
> Corvil Howells
> Telvent