WCF hosting gotcha: AddressAccessDeniedException

I hit this problem as soon as I tried writing a self-hosting service using HTTP transport. Due to User Account Control (UAC) security in Vista and Windows 7,  if a host application is not running under an elevated account and is trying to host a WCF service with HTTP bindings, it will throw an AddressAccessDeniedException.

This is because listening at a particular HTTP address is reserved for accounts with
administrator permissions and by default, applications on Vista and Windows 7 run with standard user permissions for improved security. To solve this problem, the built-in Administrator account (which owns the entire HTTP namespace) must change a portion of the namespace reservation for a specified user account. This can be done using the netsh command.

Run cmd.exe as Administrator (otherwise the command will fail) and type the following replacing <port>, <DOMAIN> and <user> with the required values. The + is a wildcard for any URL, but you must give an explicit port number in the range 1024-65535 to avoid conflicts with reserved values.

netsh http add urlacl url=http://+:<port>/ user=<DOMAIN>\<user>

An application running under the specified user account will now be able to listen for HTTP traffic on that port. Obviously this issue doesn’t apply to services which only expose endpoints with TCP bindings, or running on Windows XP.

Advertisements

About Phil Munro

I have been developing commercial desktop and distributed web applications with Microsoft technologies since 1997.
This entry was posted in C#, UAC, WCF, Windows 7. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s