wrapper.ntservice.password

Compatibility :3.0.0
Editions :Professional EditionStandard EditionCommunity Edition
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

WARNING

DO NOT modify the value of this property while an application using the configuration file has been installed as a Windows Service. Please uninstall the existing service BEFORE modifying this property. The service with the new value can then be safely reinstalled later.

This property is only used on Windows platforms.

wrapper.ntservice.password

The password of the account specified in wrapper.ntservice.account. If the account does not have a password, or if the LocalSystem account is being used, then this value can be blank.

The default value is no password.

Example (specifying password):
wrapper.ntservice.password=secret

NOTE

Changes on this property will not take effect until the Windows Service is reinstalled.

WARNING

When any property is read in from the configuration file, the '#' character is treated as a comment such that the rest of the line is ignored. If your password contains a '#' character, you will need to double it up so the character is escaped correctly '##'.

Empty password:

It is possible to use accounts that do not have a password set by simply setting the property to an empty string or omitting the property all together.

Example (empty string):
wrapper.ntservice.password=

NOTE

Under Windows XP and Windows 2000 SP3 and above, by default, the system will not allow services to be run for accounts which do not have a password set.

To make it possible to run as an account without a password, you need to disable the "Accounts: Limit local account use of blank password to console logon only." setting.

How to Disable Account Limit:

Go to the "Administrative Tools" folder in your control panel. Open the "Local Security Policy" applet. Expand "Local Policy" and then click on "Security Options". On the right side, you will find the above setting. Right click or double click to access its properties dialog, and then disable it.

Note that the "Local Security Policy" applet does not appear to be available on Home Editions of Windows 2000 and XP. It is thus not possible to run a service as a specific account under those versions of Windows.

Concern about storing a text password?

Some users have expressed concern about having a plain text password stored in the wrapper.conf file. There are a few options available for avoiding this problem. The wrapper.ntservice.password is not required once the Wrapper has been installed as a service.

  • The most obvious solution is to simply delete the wrapper.ntservice.password property from the wrapper.conf file after the service has been installed. This has the obvious drawback of requiring a user to manually modify the file.

  • Another option is to create a second configuration file called password.conf as follows. The actual wrapper.conf file is then modified to include the new password file like a "include file" (cascading style) rather than declaring the property directly. The key point is that they are optional, meaning that once the Wrapper has been installed as a service, the password file can simply be deleted.

    A new configuration file "password.conf":
    wrapper.ntservice.password=secret
    
    Include the password file in "wrapper.conf":
    wrapper.ntservice.name=myapp
    wrapper.ntservice.account=myuser
    #include ../conf/password.conf
    

    See the Cascading Configuration File ("include file") page for a full explanation of how include files work.

  • A third option is to modify the batch file used to install the Wrapper so that it prompts the user for a password and then installs the Wrapper using the following command.

    wrapper.exe -i ..\conf\wrapper.conf wrapper.ntservice.password=%PASSWORD%
    

    Wrapper versions prior to 3.2.0 would store all properties specified in the command line within the registry in plain text. This security hole has been fixed by special casing the wrapper.ntservice.password property and omitting it from the values stored in the registry.

  • A fourth option is to have the Wrapper prompt the user for a password when installing the Wrapper as a service using the wrapper.ntservice.password.prompt property described below.

wrapper.ntservice.password.prompt

Compatibility :3.2.0
Editions :Professional EditionStandard EditionCommunity Edition
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

If this property is set, the wrapper.ntservice.password.prompt property will cause the Wrapper to ignore any value specified with the wrapper.ntservice.password property and then prompt the user for a password when installing as a service. This has the benefit of being secure in that the password is never recorded anywhere other than within the Windows Service Manager. The default value is "FALSE".

Example (Enable prompt):
wrapper.ntservice.password.prompt=TRUE

When the Wrapper is launched with the "-i" command, the Wrapper will display the following to the console, prompting the user for an account password. This example assumes that the wrapper.ntservice.account property is set to ".\Wrapper".

Example of Display:
Please input the password for account '.\wrapper':

NOTE

Currently, as this property requires a console available, it is only working with the wrapper's console application (wrapper.exe), but not the window application (wrapperW.exe).

wrapper.ntservice.password.prompt.mask

Compatibility :3.2.0
Editions :Professional EditionStandard EditionCommunity Edition
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

By default, the Wrapper will mask a password being entered at a password prompt. Setting this property to FALSE will cause the password to be visible in the console. The default value is "TRUE".

Example (Disable to mask a password):
wrapper.ntservice.password.prompt.mask=FALSE

Reference: Account