Windows – net use encountering “System error 67 has occurred.” when trying to map from script running as service

mappeddrivenetworkingwebdavwindowswindows-service

I have a service running, on windows Server 2008 R2, which requires access to a webdav mapped drive, for copying file dependencies. Everything works when I run net use from command prompt:

net use z: https://domain.com/webdav /user:thisuser passwd

or run my script from command prompt, an ant build script:

<target name="mapdrive.developer" depends="checkmappeddrive" unless="mapped.drive.present">
    <antcall target="disconnect.mapped.drive" />
    <echo message="Mapping drive..." />
    <exec executable="net">
        <arg value="use" />
        <arg value="z:" />
        <arg value="https://test.com/plugins/servlet/confluence/default" />
        <arg value="/PERSISTENT:YES" />
        <arg value="/USER:xxxxx" />
        <arg value="xxxxx" />
    </exec>
</target>

Yes, it is an SSL/HTTPS webdav map. I'm aware of the system settings in the registry and have the WebClient, "Desktop Experience", installed. Everything works fine when logged in and running from command prompt. However, if I take this script and spawn the script from my build service, which runs as Local System account, the command fails with the error: "System error 67 has occurred.". I've tried enabling 'Allow service to interact with desktop' and changing the 'Log on as' setting to a regurlar user. Neither worked. I've searched and found similar issues with people having success mapping drives as user, but failing when ran from scripts as a service, local system account. What I cant find is a workaround, if any.

Anybody here find a working solution to this? Any info greatly appreciated.

Best Answer

Figured it out. You have to use UNC paths to copy from remote sources and running as a local service. Apparently, this was answered on stackoverflow:

From http://msdn.microsoft.com/en-us/library/ms685143.aspx:

A service (or any process running in a different security context) that must access a remote resource should use the Universal Naming Convention (UNC) name to access the resource. The service must have appropriate privileges to access the resource. If a server-side service uses an RPC connection, delegation must be enabled on the remote server.

Drive letters are not global to the system. Each logon session receives its own set of drive letters from A to Z. Therefore, redirected drives cannot be shared between processes running under different user accounts. Moreover, a service (or any process running within its own logon session) cannot access the drive letters that were established within a different logon session.

A service should not directly access local or network resources through mapped drive letters, nor should it call the net use command to map drive letters at run time.

Drive letters won't work. So if you're coping files from wedav/https, with ssl enabled, you have to map the source using UNC:

net use https://test.net/plugins/servlet/confluence/default /user:user passwd

Then when you exec 'net use' you will see the following:

C:\Users\Administrator\test>net use
New connections will be remembered.


Status       Local     Remote                    Network

-------------------------------------------------------------------------------
                       \\test.net@SSL\plugins\servlet\conf
luence\default
                                                Web Client Network
The command completed successfully.

I used robo copy to copy from the UNC:

robocopy \\test.ney@SSL\plugins\servlet\confluence\default . /z /e
Related Topic