Re: Can't get Tomcat to use account other than System

[Mark Leone]

Darryl,
I neglected to mention in my last message that I also tried giving the 
"Act as part of the operating system" right to the account I'm trying to 
use, and it didn't work. There are only a handful of rights that are not 
assigned to either the account I'm trying to use or the group it belongs 
to. I've listed them below, in case you have any ideas as to which one 
I'm missing.

I should also describe the sequence of steps I took, and make sure I'm 
not doing something wrong. I stopped the Tomcat service, then entered 
the account credentials on the "Log on" tab of the service properties 
window (and checked the "Use this account" button). Then I clicked 
"Apply" and went to the General tab. I then started the service.

When I went back to the "Log on" tab, the "Use this account" button was 
still checked, and the credentials I entered were still there. But then 
I closed the Tomcat service properties window and re-opened it- and when 
I went to the "Log on" tab, the account credentials I entered were not 
there anymore, and the "Local System account" button was checked instead 
of  "Use this account". When  I subsequently checked the "Use this 
account" button, instead of the account credentials that I entered 
previously being displayed, the LocalSystem account was displayed.

Here are all the process rights NOT assigned to either my account or the 
group to which it belongs.

Create a token object
Create permanent shared objects
Deny access to this computer from the network
Deny logon as a batch job
Deny logon as a service
Deny logon locally
Deny logon through terminal services
Enable computer and user accounts to be trusted for delegation
Generate security audits
Lock pages in memory
Replace a process level token
Synchronize directly service data
Darryl Wilburn wrote:
In addition to "Logon as a service", the account will
also need to "Act as part of the operating system". 
Again, these are the two minimum requirements. 
Depending on what you're trying to access, you may
need to assign additional user rights.

Darryl
--- Mark Leone <[EMAIL PROTECTED]> wrote:
 

Thanks. That's useful information, but unfortunately
it didn't solve my 
problem. The account I'm trying to use was already
mapped to the "Logon 
as a Service" right. I looked at all other rights
that didn't have 
either the account or its group mapped to them, and
I couldn't see any 
that seemed to be needed. I searched through the MS
knowledge base as 
well, and didn't find anything relevant to this
problem.

I found a better way to accomplish what I was trying
to do; but I'd like 
to find out why I can't run Tomcat as an account
other than System, in 
case I have a need for it at some later point.
Thanks for trying.

Darryl Wilburn wrote:
   

In Administrative Tools, go to Local Security
     

Policy
   

and navigate to Local Policies >> User Rights
Assignment.  This lists all the assignable user
rights.  At the very least, this account will need
     

to
   

be assigned to "Logon On as a Service".  Don't mess
around with the Net Logon service.  The only
     

service
   

you need to mess with is Apache Tomcat.  The other
services aren't broken, so don't try to "fix" them.
     

You might also consider looking here: 
     

http://support.microsoft.com/default.aspx?scid=fh;EN-US;kbhowto&sd=TECH&ln=EN-US&FR=0
   

Darryl
--- Mark Leone <[EMAIL PROTECTED]> wrote:
     

Can you tell me how to check for that? The only
options I can find for 
defining account properties are in Control Panel
       

-->
   

Users and 
Administrative Tools --> Computer Management; and
neither of those have 
any settings beyond very basic things like Admin
       

vs.
   

limited priviliges.
I played around a bit with the Net Logon service.
       

I
   

specified the 
desired account credentials in the Log On tab of
       

the
   

Service Properties, 
and then when I tried to start the service I got
       

the
   

following error.
"Could Not start the Net Logon service on local
computer.
Error 1079: The accout specified for this service
       

is
   

different from the 
account specified for other services running in
       

the
   

same process."
Not sure what to make of this, or if I'm barking
       

up
   

the wrong tree. 
Please enlighten me.

Darryl Wilburn wrote:
  

       

Mark,
Does the account you're trying to use have all
         

the
   

correct user rights (act as part of the operating
system, run as a service, etc.)?
Darryl
--- Mark Leone <[EMAIL PROTECTED]> wrote:
    

         

I think this is a pretty basic question, but I
couldn't find an answer 
in the archives. I've been using Tomcat for a
      

           

while,
  

       

with Tomcat logging 
on as the local System account. Now I'd like
      

           

Tomcat
  

       

to have some 
additional access rights, so I'm trying to get
           

it
   

      

           

to
  

       

log on as a 
privileged user. I have Tomcat 5.5.8 installed
           

as
   

      

           

a
  

       

Service on Windows 
XP. I launch the Service properties window, go
           

to
   

the "Log On" tab, 
check the "This Account" radio button, and then
enter the account 
credentials.

The credentials seem to be accepted, but if I
      

           

close
  

       

the Service 
properties window and re-launch it, the "Log On"
      

           

tab
  

       

has reverted to its 
default configuration, i.e. Log on as "Local
      

           

System
  

       

Account" is enabled 
instead of the account I specified. And Tomcat
doesn't have the access 
rights I'd like it to have, even after restart.

 

      

           

---------------------------------------------------------------------
     

  

       

    

         

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
 

      

           

		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your
    

         

mobile phone. 
  

       

http://mobile.yahoo.com/learn/mail 

    

         

---------------------------------------------------------------------
     

  

       

To unsubscribe, e-mail:
    

         

[EMAIL PROTECTED]
  

       

For additional commands, e-mail:
    

         

[EMAIL PROTECTED]
  

       

    

         

  

       

---------------------------------------------------------------------
   


     

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
  

       

		
__________________________________ 
Do you Yahoo!? 
Plan great trips with Yahoo! Travel: Now over
     

17,000 guides!
   

http://travel.yahoo.com/p-travelguide
     

---------------------------------------------------------------------
   

To unsubscribe, e-mail:
     

[EMAIL PROTECTED]
   

For additional commands, e-mail:
     

[EMAIL PROTECTED]
   


     

   

---------------------------------------------------------------------
 

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
   


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]