wrapper.ntservice.account
Compatibilidad :3.0.0
Ediciones :Edición ProfesionaEdición EstándarEdición de la Comunidad
Plataformas :WindowsMac OSX (No Compatible)Linux (No Compatible)IBM AIX (No Compatible)FreeBSD (No Compatible)HP-UX (No Compatible)Solaris (No Compatible)IBM z/Linux (No Compatible)

ADVERTENCIA

DO NOT modify the value of this property while an application using the configuration file has been installed as a Windows Service. Please uninstall the existing service BEFORE modifying this property. The service with the new value can then be safely reinstalled later.

This property is only effective on Windows platforms. It lets you specify the account to use when running as a Windows Service. The service account essentially provides a security context for your service.

NOTA

Changes on this property will not take effect until the Windows Service is reinstalled.


Accounts:

Windows Services can be configured to run with different types of accounts:

  • LocalService, NetworkService and LocalSystem

    These three special accounts are traditionally used to install Windows Services.

    LocalService has minimum privileges on the local computer and presents anonymous credentials on the network.

    NetworkService has minimum privileges on the local computer, but acts as the computer on the network.

    LocalSystem has extensive privileges on the local computer, and acts as the computer on the network.

    Example: 
    wrapper.ntservice.account=NT AUTHORITY\NetworkService
wrapper.ntservice.account=NT AUTHORITY\LocalService

    The default, blank value, will use the LocalSystem account.

  • User Accounts and Domain User Accounts

    For improved security, it is best that your service runs under a dedicated account. Ideally, the account should only have access to files needed by the Wrapper or Java application, and conversely, no other account (and therefore no other process) should be allowed to access these files.

    User accounts allow this. The account name should be written in the form: {DomainName}\{UserName}. If the account belongs to the built-in domain, then you may specify the name in the form: .\{UserName}.

    Example: 
    wrapper.ntservice.account=.\leif

  • Managed Service Acccounts (MSA)

    If you have many services on a large network, using a dedicated account per service involves a lot of management for those accounts. Managed service accounts provide an alternative to user accounts by eliminating the complexity of password management. Random, strong passwords are automatically generated, and then renewed when they reach their expiration date. This means that wrapper.ntservice.password never need to be

    Managed Service Acccounts require Active Directory to be installed on the machine and the Server Edition of Windows.

    They are declined in four different types: Standalone Managed Service Accounts (sMSA), Group Managed Service Accounts (gMSA), Delegaged Managed Service Accounts (dMSA), and Virtual Accounts.

    sMSA, gMSA, and Virtual Accounts require Windows Server 2008 R2, while dMSA were introduced in Windows Server 2025. dMSA offer security advantages which you can read on MSDN (see above links).

    For sMSA, gMSA and dMSA, the account name should be written in the form: {DomainName}\{UserName}$ (the final '$' is important).

    Example: 
    wrapper.ntservice.account=da.tanuki.com\gmsaTanuki$

NOTA

Usage of most of these accounts will require you to set appropriate permissions on the files that needed to be accessed by the Wrapper or the Java Application. It is best to set your file permissions only for service accounts that require access, and to limit the type of access (e.g. read, write, execute, etc.) to the bare minimum. Fine-tuning file permissions require some effort, but is often a necessary step if you want to run your application securely.

On Windows, most files will have full permissions for the 'SYSTEM' account. This means that any service running with LocalSystem will run without needed to edit file permissions. This is why LocalSystem as the default account for Windows services makes it easy to set up and run your services. But you should keep in mind that, with LocalSystem, your Java process will then run with the highest privileges on Windows. While many services on Windows are considered trusted and run with LocalSystem, it is up to you deciding whether or not your application should have such privileges.


Password:

Most user accounts or domain user accounts will require a password to be set. See the wrapper.ntservice.password property for the various options specifying a password.


Error on Service Install:

When attempting to install the service, you will encounter the following message if the account name is invalid, does not exist, or the password for the account is incorrect. A common mistake is setting the account name to leif rather than .\leif. 

CreateService failed - The account name is invalid or does not exist,
or the password is invalid for the account name specified. (0x421)

Additionally, only accounts which have their "Log on as a Service" right set can be used to run a service. Failure to set this right will result in the following error message when you attempt to install the service: 

 Authentication attempt failed - Logon failure: the user has not been granted the requested logon type at this computer. (0x569)

NOTA

Since version 3.5.8, the Wrapper will automatically add the "Log on as a Service" permission during the installation of the service.

Starting from version 3.5.44, it is possible to control whether the permission should be added or not by using the wrapper.ntservice.account.logon_as_service property.


Setting Access Right on the system:

To set the "Log on as Service" right, Go to the "Administrative Tools" folder in your control panel. Open the "Local Security Policy" applet. Expand "Local Policy" and then click on "User Rights Assignment". On the right side, you will find a "log on as service policy". Right click or double click to access its properties dialog, and then add the user that you wish to allow to run the service.

Note that the "Local Security Policy" applet does not appear to be available on Home Editions of Windows.


Interactive Services:

The wrapper.ntservice.interactive property will be ignored (resolved to FALSE) if the service is configured to run using a specific account.

Referencia: Cuenta