login about faq

I have a C# Application that is a Windows Service. It is creating a simple CMD file with the following contents, which it sends to a .NET PROCESS to execute the CMD file:

"sftpg3.exe" -B "C:\tempSFTPScriptFile.ssh" hopUserProfile

The hopUserProfile is setup to use public key access method.

The ssh file has the following

lcd E:\DropRoot

get --preserve-attributes --checksum=sha1 --overwrite=yes *

quit

If I run a windows command prompt and execute the CMD file, everything works perfectly. I am not prompted for anything, so it does not seem to be due to user interactivity issues.

However, my service shows a failure with the following errors, even though the service is running under the same domain account that created the profile, and that domain account has Admin rights.

Error: Could not connect to broker: OpenProcess failed: 5 / Failed to get process 4104 integrity level. / Trustworthiness of the client process cannot be verified. Refusing to serve unknown client. / Broker is already running. / Failed to start on-demand Broker.

The broker never shows a connection.

I am totally lost here, so any assistance would be most welcome.

asked Mar 24 '15 at 17:23

philipsDev's gravatar image

philipsDev
6224

edited Mar 24 '15 at 17:24


So I think i've answered my own question. It appears that in Windows 2012, different credentials are used when a service issues a .NET PROCESS object to run an application. The errors are identical to those when trying to reference a profile created by a different user.

link

answered Mar 26 '15 at 15:52

philipsDev's gravatar image

philipsDev
6224

The problem usually is the UAC (User Account Control). When you are an admin on new Windows computer (Vista and newer) and UAC is on, you have 2 identities and they do not trust one another. So the problem probably is that ssh-broker-g3.exe process has been started when you normally logged in to the machine. It has been started without elevated privileges. But when a service is started in Session 0, it starts all processes WITH elevated privileges. So now the connection broker (ssh-broker-g3), does not have rights to send communication handles to sftpg3 process.

You can easily fix this either:

  • By first stopping the ssh-broker-g3 process and starting it again with elevated privileges.
  • Or by by stopping the process and making sure no one else will start it. In that case sftpg3 will start it itself; when it needs it with correct UAC level.

This is a schizophrenic headache that Microsoft introduced in Windows Vista and would require major refactoring of the Tectia Client architecture to work seamlessly in all circumstances.

link

answered Jun 05 '15 at 10:05

Martin%20Dobsik's gravatar image

Martin Dobsik ♦
599126

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×45
×12
×5
×2

Asked: Mar 24 '15 at 17:23

Seen: 5,870 times

Last updated: Jun 05 '15 at 10:05

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.