I'm a .NET developer working on a project that contains multiple WCF services. Some automated tests try to host these services, but depending on whether I don't run the test with administrative privileges, those tests fail with the following error:
System.ServiceModel.AddressAccessDeniedException : HTTP could not register
URL http://+:45566/SomeService/. Your process does not have access rights to this namespace
(see http://go.microsoft.com/fwlink/?LinkId=70353 for details).
----> System.Net.HttpListenerException : Access is denied
Following the provided link, it appears I have to give myself (normal domain user) some sort of access right using the netsh
command as follows:
netsh http add urlacl url=http://+:45566/SomeService user=DOMAIN\me
Unforunately, there seems to be no way (that I can find) to use wildcards for the port or the relative URL parts, in order to grant myself access to everything on the localhost for example.
Hence my question: what the heck is this ACL, and can I find it in a file or something in order to manipulate it more easily?
Even better: since the local administrator account seems to have access rights by default, could I somehow tell whatever system is behind this to just shut up and let me do my work?
Best Answer
Each URL access control list (ACL) reserves a portion of the HTTP URL namespace for a particular group of users. The reservation gives those users the right to create services that listen on that portion of the namespace. See https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/configuring-http-and-https for further information on namespace reservations.
You can find and manipulate all the defined URL ACLs in the registry.
If you have added a URL ACL using the command:
You can query the registry entry for this URL ACL with:
The value of the registry key is a binary security descriptor. You can convert the binary SD to an SDDL string using a helper method of the WMI class
Win32_SecurityDescriptorHelper
And convert the SDDL string back to binary SD:
You can add another URL ACL to the registry:
And it can be seen in the
netsh
command: