我有一个在域服务帐户下运行的NServiceBus 3.0发布者。发布者没有外部依赖项,本地唯一的依赖项是输入队列和ravendb。
我已授予服务帐户对输入队列的完全控制权。
当我将服务帐户添加到本地管理员组时,服务启动正常。如果我从本地管理员中删除服务帐户,则在启动时系统日志中出现错误:
The BlahBlahBlah service failed to start due to the following error:
Access is denied.
如果我查看安全日志,则会写入以下4个条目:
条目1:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
条目2:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: MYSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
条目3:
Special privileges assigned to new logon.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Privileges: SeImpersonatePrivilege
条目4:
帐户已注销。
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon Type: 5
在服务启动期间记录所有条目。
我的问题是,如果没有本地管理员中的服务帐户,我需要设置显式权限才能启动此服务?
答案 0 :(得分:1)
这仍然没有解决,因此我们必须向我们的服务帐户授予本地管理员权限。幸运的是,这只是在我们的集成环境中,我们在生产中没有遇到这个问题。