Debugging WCF services using non-admin account on Windows XP SP2


If you are using a non-admin account on your computer to develop WCF services, you may have run into a problem trying to debug HTTP services locally. Using HTTP endpoints requires the user account to have a special permission to “reserve” a namespace (i.e. a URL). If account doesn’t have the permission, WCF service will fail at startup. The same problem will happen if you deploy the service to run under a limited account such as LocalService or NetworkService.

There is a good article on MSDN on how to grant this permission to a user account. Unfortunately, the instructions it provides assume you are already familiar with SIDs, ACL syntax and httpcfg. Neither was true in my case and I spent about an hour over two different attempts trying to figure it out. Here is what finally worked on Windows XP SP2 system:

  • Install Windows XP SP2 support tools from windows setup CD. You can also download here.
  • Use whoami tool from support tools to determine SID of the local “VS Developers” group on your computer 
C:\>whoami /user /groups /sid
[User]     = "MYDOMAIN\myaccount"  S-1-5-21-111111-222222-333333-44444
[Group  1] = ""  S-1-5-21-111111-222222-333333-444
[Group  2] = "Everyone"  S-1-1-0
[Group  3] = "MYCOMPUTER\Debugger Users"  S-1-5-21-555555-666666-777777-1008
[Group  4] = "MYCOMPUTER\VS Developers"  S-1-5-21-555555-666666-777777-1009
[Group  5] = "BUILTIN\Users"  S-1-5-32-545
[Group  6] = "NT AUTHORITY\INTERACTIVE"  S-1-5-4
[Group  7] = "NT AUTHORITY\Authenticated Users"  S-1-5-11
  • Use httpcfg tool from support tools to grant permission to reserve any URL to “VS Developers” group 
C:\>httpcfg set urlacl -u http://+:8080/ -a "D:(A;;GX;;;S-1-5-21-555555-666666-777777-1009)"
HttpSetServiceConfiguration completed with 0.

SIDs in the examples above have been modified, values on your computer will be different. You will need to copy SID of the VS Developers group from the whoami output and paste it into httpcfg command line. You will need to run these commands as local administrator. After that, you should be able to run and debug WCF HTTP services under any non-admin account which is a member of the "VS Developers" group.

Information and Links

Information
July 29th, 2007
One Response
Feeds and Links
Comment Feed
DotNetKicks
Del.icio.us
Digg
Technorati
Categories
Uncategorized

Other Posts
DebugExe command-line switch in Visual Studio
Fiddler by Eric Lawrence

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Comment Number:
1
Written by:
Oleg Sych
Posted on:
April 14, 2008 at 12:19 pm

Nicholas Allen has a great post that shows how to do this on Vista - Configuring HTTP for Windows Vista