Puneet Ghanshani

Chief Architect at Microsoft

4 minute read

In Windows 8, when hosting WCF in a managed application running under a normal user privileges and NetTcp binding, you might get an exception

Verify that the current user is granted access in the appropriate allowAccounts section of SMSvcHost.exe.config

This is due to enhanced security in Windows 7+ operating systems. 

There are 3 ways to get away with this exception

Run as Administrator

Please note that this problem occurs only when you are running a WCF service using a user account.  If you run the service using a Local System, Network Service, Local Service or Administrator, there will be no issues at all.

When running the application as an Administrator, NetTcp Port Sharing service assumes that you are authenticated and can run the service and share data on the TCP layer.

However, if you do not have admin rights you can take the next approach

Downgrade your NET.TCP Port Sharing service

Now this problem occurs for .NET 4.0 framework that upgraded the NET.TCP Port Sharing.  So if you have installed .NET 4.0, you will face this issue.

The easiest way is to change some registry configuration to use v3.0

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetTcpPortSharing

New Value:
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

When you try to compare the configuration files SMSvcHost.exe.config in v3.0 and v4.0.30319, you will not find any changes that would stop port sharing so I believe, it is the way SMSvcHost works that has made the changes

Grant port sharing rights to yourself

This process is a lengthy process so if you follow through these steps accurately you can get away with this error

  • Visit http://technet.microsoft.com/en-us/sysinternals/bb897417 and download the  PsTool.  We are interested in PsGetSid that gives you unique security identifier for a user or a group.  So if you are targeting this single user, you should be interested in getting SID of a user; otherwise, you can request for a group having all your target audience.  Run PsGetSid <username> to your SID
  • Open the SMSvcHost.exe.config (of .NET 4.0 version, usually in C:\Windows\Microsoft.NET\Framework\v4.0.30319 folder)
  • You will require to use Admin rights to open this config file.  The best way is to open Command Prompt (Run As Administrator) and then type

    notepad C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe.config

  • The configuration file has a section called system.serviceModel.activation and a sub-section net.tcp.  This section has security identifiers of LocalSystem, LocalService, NetworkService and Administrators.  We need to add your SID in this configuration file
  • Without changing anything else, add following line in the configuration file (just next to the LocalSystem account

<add securityidentifier="your-SID-that-starts-with-S">

Restart the Net.Tcp Port Sharing service and you should be good to go.

You May Also Enjoy