Wednesday, 4 November 2020

Why does my Windows Service keep forgetting its password?

 https://www.coretechnologies.com/blog/windows-services/windows-service-forgets-password/

 Why does my Windows Service keep forgetting its password?

 

The mystery: “The service did not start due to a login failure”

One of our customers reported a very strange problem last week. After about a day of running flawlessly, their windows service would suddenly fail to start after a reboot. The error reported by the Event Viewer hinted at a problem with the service user’s account:

Windows Service Logon Failure

Trying to start the service directly from the Windows Services Control Panel application produced the same unsatisfying result:

Windows service failed to start

The service account’s password had not changed, and the user had no problem logging into the server interactively. Why was the windows service failing to login?

Luckily we were able to get the service going again by re-entering the user’s password:

Re-enter windows service password

When doing so, we noticed that the “Log on as a service” right had to be granted again. Very suspicious…

Log on as service granted

But a mere 24 hours later, the problem resurfaced! Once again, the service failed to start after a reboot.

The problem: Group Policy overwriting Local Policy

The message about the “Log on as a service” right lead us to the root of the problem.

Entering the password in services.msc updated the user’s rights in the machine’s Local Group Policy — a collection of settings that define how the system will behave for the PC’s users. However, since the user and server were part of a domain, those local settings were periodically overwritten by the domain’s group policy, which had not been updated with the new permission. And because the necessary permission “disappeared” on the machine, the service failed the next time it tried to start.

The solution: Modify the Domain Group Policy

To fix the problem, we must update the domain group policy and explicitly give the service user the “Log on as a service” right. To do so:

  1. Start the Group Policy Management application.

    Open Control Panel, navigate to System and Security > Administrative Tools, and double-click Group Policy Management on the left.

    Start Group Policy Management

    (Note: Don’t search for “group” in Control Panel. That will lead you to the “Edit group policy” link, which opens the local group policy!)

  2. Find your default domain policy on the left. Right-click it and select Edit to bring up the Group Policy Management Editor window.

    Edit the default domain policy

  3. On the left, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment and select
    the Log on as a service entry on the right.

    Edit group policy user rights

  4. Double-click Log on as a service to bring up its Properties window.

    Add the user running your windows service to the list and click OK to record the change.

    Add the domain account running the windows service

Next time your domain policy is copied to your server, it will bring along the Log on as a service right for the user. You shouldn’t encounter the “logon failure” error again!

A closing note for the folks at Microsoft: A better error message please!

Instead of reporting the generic “logon failure”, why not be more precise and say something like “The user doesn’t have the necessary rights to start the service”? You could provide even more guidance by listing the missing rights.

The bottom line is a that a helpful error message highlighting the true problem would have led us straight to the solution and avoided a few anxious days for us and our client.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Blog Archive