The password of the account specified in wrapper.ntservice.account. If the account does not have a password, or if the LocalSystem account is being used, then this value can be blank.

The default value is no password.

wrapper.ntservice.password=secret

NOTE

Changes on this property will not take effect until the Windows Service is reinstalled.

Empty password:

It is possible to use accounts that do not have a password set by simply setting the password to an empty string or ommitting the property all together.

wrapper.ntservice.password=

NOTE

Under Windows XP and Windows 2000 SP3 and above, by default, the system will not allow services to be run for accounts which do not have a password set. To make it possible to run as an account without a password, you need to disable the "Accounts: Limit local account use of blank password to console logon only." setting. How to Disable Account Limit: Go to the "Administrative Tools" folder in your control panel. Open the "Local Security Policy" applet. Expand "Local Policy" and then click on "Security Options". On the right side, you will find the above setting. Right click or double click to access its properties dialog, and then disable it. Note that the "Local Security Policy" applet does not appear to be available on Home Editions of Windows 2000 and XP. It is thus not possible to run a service as a specific account under those versions of Windows.

Concern about storing a text password?:

Some users have expressed concern about having a plain text password stored in the wrapper.conf file. There are a few options available for avoiding this problem. The wrapper.ntservice.password is not required once the Wrapper has been installed as a service.

• The most obvious solution is to simply delete the wrapper.ntservice.password property from the wrapper.conf file after the service has been installed. This has the obvious drawback of requiring a user to manually modify the file.

• Another option is to create a second configuration file called password.conf as follows. The actual wrapper.conf file is then modified to include the new password file like a "include file" (cascading style) rather than declaring the property directly. The key point is that they are optional, meaning that once the Wrapper has been installed as a service, the password file can simply be deleted.

  A new configuration file "password.conf":

  wrapper.ntservice.password=secret

  Include the password file in "wrapper.conf":

  wrapper.ntservice.name=myapp wrapper.ntservice.account=myuser #include ../conf/password.conf

  See the Cascading Configuration File ("include file") page for a full explanation of how include files work.

• A third option is to modify the batch file used to install the Wrapper so that it prompts the user for a password and then installs the Wrapper using the following command.

  wrapper.exe -i ..\conf\wrapper.conf wrapper.ntservice.password=%PASSWORD%

  Wrapper versions prior to 3.2.0 would store all properties specified in the command line within the registry in plain text. This security hole has been fixed by special casing the wrapper.ntservice.password property and omitting it from the values stored in the registry.

• A fourth option is to have the Wrapper prompt the user for a password when installing the Wrapper as a service using the wrapper.ntservice.password.prompt property described below.

Compatibility :	3.2.0
Editions :
Platforms :

If this property is set, the wrapper.ntservice.password.prompt property will cause the Wrapper to ignore any value specified with the wrapper.ntservice.password property and then prompt the user for a password when installing as a service. This has the benefit of being secure in that the password is never recorded anywhere other than within the Windows Service Manager. The default value is "FALSE".

wrapper.ntservice.password.prompt=TRUE

When the Wrapper is launched with the "-i" command, the Wrapper will display the following to the console, prompting the user for an account password. This example assumes that the wrapper.ntservice.account property is set to ".\Wrapper".

Please input the password for account '.\wrapper':

Compatibility :	3.2.0
Editions :
Platforms :

By default, the Wrapper will mask a password being entered at a password prompt. Setting this property to FALSE will cause the password to be visible in the console. The default value is "TRUE".

wrapper.ntservice.password.prompt.mask=FALSE

For some more DOS scripting tips see
WindowsXP->Start->Help->Command shell overview->Using batch files->Using batch parameters

The downside I've experienced with the third option is that when I modify the wrapper.exe -i line in %WRAPPER_HOME%srcinInstallApp-NT.bat.in to something like

"%_WRAPPER_EXE%" -i %_WRAPPER_CONF% wrapper.ntservice.account=%LOG_ON_AS% wrapper.ntservice.password=%PASSWORD%

then wrapper.exe adds the cleartext password to the NT service's->Properties->Path to executable. I don't know if this behavior is a defect or "feature".

Thus, if you don't want any cleartext record of the password, you have to use option 1 or 2. Option 3 isn't secure.

Under Windows 2000, you can prompt a user for a password with something like

SET /P some_variable_name="some prompt for LogOnAs user password: "

I found this tidbit at Rob van der Woude's great web site "Scripting Pages: Batch Files, Rexx, KiXtart, Perl, VBScript"

http://www.robvanderwoude.com/index.html