4

On a Windows 2012 R2 server we have serveral Windows services that need to access a RestFull Interface on a remote server. The RestFull interface on the remote server does not allow anonymous access, so a possible solution to this is to add remote server credentials to the Credentials Manager for the user account running the Windows Service. This is currently done with the

cmdkey.exe /add:10.0.0.1 /user:RemoteUser  /pass:RemotePass

These Windows services are running under the Local System account. So we need to run cmdkey.exe under the System account to add the credentials to the System account. This is done with PSExec.exe -s cmdkey.exe command line tool from SysInternals.

The solution works on Windows 7. But I can not make it work on Windows 2012 R2 server. On 2012 only Username is stored correctly. Password is however incorrectly stored or not stored at all. RestFull interface when called reports a Unauthorized (401) HTTP response, so password is somehow corrupt.

Is there a way to make the System account store the Credentials correctly, or should we try and come up with another solution.

Thomas K
  • 41
  • Have you tried whether your problem depends on the system account? Its recommended not to use the system account but dedicated service logon accounts. Look here: https://docs.microsoft.com/en-us/windows/desktop/ad/service-logon-accounts – marsh-wiggle Nov 30 '18 at 12:46
  • Yes. It depends on the System account. We have tried with the local Administrator account, and that works fine. We have plans for dedicated service users, but due to time constraints we might not be able to do that in time. – Thomas K Nov 30 '18 at 12:53
  • Then, except you are on a domain controller, you may create a local administrator account and use it for your services. – marsh-wiggle Nov 30 '18 at 13:19
  • Does the security policy on the server have any restrictions on storing credentials? Check with rsop.msc or gpresult.exe – twconnell Dec 08 '18 at 17:08

0 Answers0