Running self-hosted OWIN Web API under non-admin account

C#.Netasp.net Web-ApiOwin

C# Problem Overview

Is it possible for a self-hosted OWIN Web API to run under a non-administrator account? I have already tried dozens of url reservations and nothing works. The service fails to start with "Access is denied". It works when the account is added to the administrator role but I don't want that. Code below is running on Win 7 framework 4.5.2.

//install-package microsoft.owin.hosting
//install-package Microsoft.Owin.Host.HttpListener

StartOptions options = new StartOptions();
options.Urls.Add("http://localhost:5000/");
//options.Urls.Add(string.Format("http://{0}:5000", Environment.MachineName));
//options.Urls.Add("http://+:5000/");
//options.Urls.Add("http://*:5000/");

using (WebApp.Start<WebAPISelfHostMinimal.Startup>(options))
{
    while (!Terminate)
    {
        await Task.Delay(10); //keep cpu from getting pegged
    }

    LogUtil.LogInfo("Terminating owin host.");
}

EDIT - this is running under a Windows account.

C:\>netsh http add urlacl http://+:5000/ user=mini2012\svcAPI

URL reservation successfully added

C:\>sc start apiservice
[SC] StartService FAILED 5:

Access is denied.

C:\>netsh http add urlacl http://*:5000/ user=mini2012\svcAPI

URL reservation successfully added

C:\>sc start apiservice
[SC] StartService FAILED 5:

Access is denied.

C:\>netsh http add urlacl http://localhost:5000/ user=mini2012\svcAPI

URL reservation successfully added

C:\>sc start apiservice
[SC] StartService FAILED 5:

Access is denied.

C# Solutions

Solution 1 - C#

It looks like the problem was with the URL reservation. I didn't need one. If there is a URL reservation, it will just prevent the owin host from starting with the access denied error. Also, the default port for owin host is 5000. If there is a "dead" process that is still running on that port, it will block your service from starting. To check you can run netstat -a -b at the command prompt.

Solution 2 - C#

Your service is running (most likely) under the LocalSystem (SYSTEM) account. This account is not in the Everyone security principal.

In short, to solve this, either make the namespace reservation for Anonymous Logon or change your service to run under the Network Service account which happens to be in the Everyone principal.

Third option is, of course, to create a new local/domain user, create the reservation for it and have the service run under this account. But then you'd have to worry about setting proper security permissions for it, so I'd go with one of the first two options.

Solution 3 - C#

Run this command line under admin

> netsh http add urlacl url=http://*:8080/ user=MyUser

Categories
Recommended C# Solutions
Recommended .Net Solutions
Recommended asp.net Web-Api Solutions
Recommended Owin Solutions

Previous Solution:

Can I animate absolute positioned element with CSS transition?

CssCss Transitions

Next Solution:

Python assignment destructuring

PythonDestructuring

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionColin SuperdogView Question on Stackoverflow
Solution 1 - C#Colin SuperdogView Answer on Stackoverflow
Solution 2 - C#Marcel N.View Answer on Stackoverflow
Solution 3 - C#Sergii LebidView Answer on Stackoverflow