question

XiaQuanGEPowerconsultant-3043 avatar image
0 Votes"
XiaQuanGEPowerconsultant-3043 asked DaisyZhou-MSFT edited

can not start service with service account when the station is not connected to domain controller

We set up a service with a domain user as log on credential on a windows 10 station. It works as expected when the machine is connected to home network and be able to communicate with the domain controller. However, the service is not up when the station is outside the home network and can not connect to the domain controller.

The user can still log on because the credential is cached. But the service which use same credential can not start.

Is there any solution that we can start the service with this domain even outside the home network. ( actually, the station was unplugged, have not network connection at all during some deployment.

Thanks

Larry

windows-10-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @XiaQuanGEPowerconsultant-3043,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

I want Microsoft make an enhancement to allow using cached credential to start a service. Although we can start the application as a standalone app, it is not exactly what we want to have, since this is an end user visible change.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @XiaQuanGEPowerconsultant-3043,

Thank you for your reply.

I think it is the behavior by design.

I will help you feedback this requirement to product group.

Tip: But the product group may not fulfill this requirement based on the needs of a certain individual.

Thank you for your understanding and support.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered XiaQuanGEPowerconsultant-3043 commented

Hello @XiaQuanGEPowerconsultant-3043,

Thank you for posting here.

Q: Is there any solution that we can start the service with this domain even outside the home network. ( actually, the station was unplugged, have not network connection at all during some deployment.)
A: No, there is no way to start the service if the windows 10 station is not connected to domain network/home network.

Here are my suggestions:

1.You can connect the windows 10 station to domain network/home network via VPN.

2.Or you can set up a service with a local user as log on credential on a windows 10 station.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the reply. The machine is disconnected from network in some cases. And if we use local user then we can not use windows authentication when connect to database.

I think the only solution is if we can't start the service in disconnected mode, then we have to start it as a standalone application.

However, it is kind of weird that windows allow domain user to log on using cached credential, but not allow service to start with same credential. Such design doesn't make sense.

Larry

0 Votes 0 ·
DaisyZhou-MSFT avatar image DaisyZhou-MSFT XiaQuanGEPowerconsultant-3043 ·

Hello @XiaQuanGEPowerconsultant-3043,

Thank you for your reply.

“Windows allow domain user to log on using cached credential”, logging in with domain cached credentials does not actually connect to the domain.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

But it doesn't allow a service to run with cached credential. It is not consistent in design.

If windows allow user to log on using cached credential, it should also allow a service to start with cached credential as well.

This limitation creates a headache for us, since we have to use domain user to start the service due company security compliance rules, but we also need the service be able to run if it is unplugged from network in some special cases.

Now this limitation force us run the service as standalone application in case the network is unplugged. because the service won't start up even the credential is cached.

Thanks

Larry

0 Votes 0 ·
Show more comments
cheong00 avatar image cheong00 XiaQuanGEPowerconsultant-3043 ·

And if we use local user then we can not use windows authentication when connect to database.

FYI, your service will still need to have access to the kerberos server (typically your domain controller) to use SSPI to login database. So that this requirement won't work.

I suspect that is the reason your service is not starting - the service's connection to database is rejected and therefore error is thrown.

0 Votes 0 ·

In disconnected mode, the service doesn't need access database at all. Your assumption is wrong. the log doesn't show the service tried to connect to database when it starts.

0 Votes 0 ·