Service sids
Hi,
What are Service SIDs? Why do we need or what is the use of Service SIDs? Are they replacement for domain groups or service accounts?
How does SQL Server make use these SIDS? What kind of benefits do we get if we choose service sids?
Thanks in advance.
Hi Samantha v,
About the first question: What are Service SIDs? Why do we need or what is the use of Service SIDs? Are they replacement for domain groups or service accounts?
Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008. Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service
host process.
The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.
A Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal.
About the second question: How does SQL Server make use these SIDs? What kind of benefits do we get if we choose service SIDs?
SQL Server uses a service SID to provide service isolation. Service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains
a service SID, a SQL Server service can restrict access to its resources. For information about how SQL Server uses a service SID to provide service isolation, please refer to the following article:
https://support2.microsoft.com/kb/2620201?wa=wsignin1.0
If you have any question, please feel free to let me know.
Regards,
Donghui Li
Similar Messages
-
Per-service SID's are not being granted correct permissions
Hi,
I had posted this here :
https://connect.microsoft.com/SQLServer/feedback/details/770984/per-service-sid-s-are-not-being-granted-correct-permissions, but no response as yet.
When installing SQL 2012 (on a VMWare VM), based on the following article :
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110), I have noticed that the SQL per service SIDs are not being granted the correct permissions. From the initial install, the following is what was observed (the red x's being permissions that
should have been granted but were not).
When re-installing and changing from specifying a domain account, to the default values, during set-up, the 4 service SIDs that were not added to 'Log on as a Service' initially were then correctly granted permission, but the other 4 in 'Bypass traverse
checking', 'Adjust Memory Quotas for a process' and 'Impersonate a Client after authentication' were still not added.
When running a repair on this install, 'NT Service\MSSQLFDLauncher' was then granted the correct permissions, but 'NT SERVICE\MsDtsServer110' was still missing 'Bypass traverse checking' and 'Impersonate a Client after authentication'.
This also resulted in the installation of Reporting Services - Native failing in the original installation with 'Attempted to perform an unauthorized operation'.
If anyone has recently installed SQL 2012, can you check (via gpedit.msc) that the correct 'User Right Assignment' was granted to the per Service SIDs as per
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110) ?Have you resolved this yet? Group policy for the OU with my desktop removes all SQL per-service rights. If group policy is your issue, I'd be interested in how some are retained.
Randy in Marin -
Service SID and setup account for DB engine service
SQL supports service isolation of access control through granting permissions to the service SID. However, we also can give the privileges to service account. Which one of the service
SID and service account has higher priority? If we give the conflicting permissions to service SID and service account, which one will work?Hi smileahpu,
In short, for account rights/privileges, there are two general types Allow and Deny. The "Allow" rights/privileges are combined, and the "Deny" rights/privileges are exclused. The DENY(SE_DENY) rights override the corresponding account
rights. In this case, either the service account or the service sid is denied on a right, the service is denied on the right.
To be more detailed, we need to go through the following topics:
How does system validate a process's privileges while accessing securable objects
How does per-service SID work while accessing securable objects
How does Access Control work
How a process accesses securable objects:
The system uses an access token to identify the user when a thread(or a process) interacts with a securable object or tries to perform a system task that requires privileges.
An access token is an object that describes the security context of a process or thread.
Access token contains lots of information. Two of them are:
•The security identifier (SID) for the user's account
•A list of the privileges held by either the user or the user's groups
Please review the following article for more information:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx
How does per-service SID work while accessing securable objects
For a service without per-Service SID enable, we can image the security context is just from the user(service account). With per-Service SID enabled, we can make a security context that is not just a user, but a user AND a particular process.
Actually, the per-Service SID's SID and privilege are included the access token directly.
By checking with Windbg, we can see the service SID was included.
0:072> !token
Thread is not impersonating. Using process token...
TS Session ID: 0
User: S-1-5-21-3485830563-343820118-176642512-1008
User Groups:
00 S-1-5-21-3485830563-343820118-176642512-513
Attributes - Mandatory Default Enabled
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-21-3485830563-343820118-176642512-1009
Attributes - Mandatory Default Enabled
03 S-1-5-32-545
Attributes - Mandatory Default Enabled
04 S-1-5-6
Attributes - Mandatory Default Enabled
05 S-1-2-1
Attributes - Mandatory Default Enabled
06 S-1-5-11
Attributes - Mandatory Default Enabled
07 S-1-5-15
Attributes - Mandatory Default Enabled
08 S-1-5-113
Attributes - Mandatory Default Enabled
09 S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 < -- service SID
Attributes - Default Enabled Owner
10 S-1-5-5-0-274023807
Attributes - Mandatory Default Enabled Owner LogonId
11 S-1-2-0
Attributes - Mandatory Default Enabled
12 S-1-5-64-10
Attributes - Mandatory Default Enabled
13 S-1-16-12288
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-3485830563-343820118-176642512-513
Privs:
00 0x000000003 SeAssignPrimaryTokenPrivilege Attributes -
01 0x000000005 SeIncreaseQuotaPrivilege Attributes -
02 0x000000013 SeShutdownPrivilege Attributes -
03 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
04 0x000000019 SeUndockPrivilege Attributes -
05 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
06 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
07 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
08 0x000000022 SeTimeZonePrivilege Attributes -
Auth ID: 0:105545a6
Impersonation Level: Anonymous
TokenType: Primary
Is restricted token: no.
SandBoxInert: 0
Elevation Type: 1 (Default)
Mandatory Policy: TOKEN_MANDATORY_POLICY_VALID_MASK
Integrity Level: S-1-16-12288
Process Trust Level: (null)
Token Virtualized: Disabled
UIAccess: 0
IsAppContainer: 0
Device Groups:
How does Access Control work
Please check from the following article for more information:
http://technet.microsoft.com/en-us/library/cc740104(v=ws.10).aspx
In addition, the following articles are helpful for understanding the concepts discussed in this reply:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
http://blogs.technet.com/b/voy/archive/2007/03/22/per-service-sid.aspx
Thanks,
Jinchun Chen -
Hi,
According to the lessons in my book, I inserted a service-side file in
my HTML-code.
It seems to work fine in the Design Mode and in the Live-View.
But when starting a browser, no matter which one, the service side
file is not visible.
What can be the problem?
Thanks in advance.
PR.Sorry, you're right, I'm talking about server-side. And I think I found the answer as well, in my book ("classroom in a book").
At the end of the chapter it says: "You won't be able to see the SSI in a browser without a testing server as long as it's stored
only on your local hard drive."
And I'm not using a test-server yet.
Thanks for your attention anyway! -
Hi, I'm a DBA installing SQL Server 2012. SQL Server setup is creating service SIDs (e.g., NT SERVICE\MSSQLSERVER, NT SERVICE\MsDtsServer110, etc.) and granting them rights (e.g., SeServiceLogonRight,
SeAssignPrimaryTokenPrivilege, etc.).
Our GPO is removing rights from the service SIDs created by SQL setup. We have been unable to add a service SID to GPO. I think there is an error that the account does not exist.
We can add just the name (e.g., MSSQLSERVER, MsDtsServer110, etc.), but this does not seem to work as rights on the service SID are still removed.
We did add NT SERVICE\ALL SERVICES (no error) and grant it SeServiceLogonRight. I think this covers all service SIDs. This appears to be working; however, I’m reluctant to grant
some of the other rights to all services using service SIDs.
Are only “well known” service SID values valid in GPO? Is there any way to add a service SID such as "NT SERVICE\MsDtsServer110" into GPO? Is there a best practice for
handling service SIDs and group policy?
Thanks.
Randy in MarinIt's a service SID and local by nature.
http://support.microsoft.com/kb/2620201
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110).aspx
Below is from the "Virtual Accounts" item in the above link.
Virtual accounts in Windows Server 2008 R2 and Windows 7 are
managed local accounts that provide the following features to simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment. If the default value is
used for the service accounts during SQL Server setup on Windows Server 2008 R2 or Windows 7, a virtual account using the instance name as the service name is used, in the format
NT SERVICE\<SERVICENAME>. Services that run as virtual accounts access network resources by using the credentials of the computer account in the format
<domain_name>\<computer_name>$. When specifying a virtual account to start SQL Server, leave the password blank. If the virtual account fails
to register the Service Principal Name (SPN), register the SPN manually. For more information on registering a SPN manually, see
Register a Service Principal Name for Kerberos Connections.
Virtual accounts cannot be used for SQL Server Failover Cluster Instance, because the virtual account would not have the same SID on each node of the cluster.
Randy in Marin -
Hello,
I've recently installed SQL Server 2008 and when I look at the groups created, the Windows Domain accounts I specified for each service do not appear. Instead the service SID has been placed into that group, however when I run cmd>>sc showsid [servicename]
the SIDs do not match.
How can I confirm the SID of the SQL services?
Thanks in advance.Hi Vijay, thank you for your response,
The server build is Windows 2008 R2 with SQL Server 2008 installed.
I can see that in the groups (under computer management) created by SQL Server the service for the database engine is NT SERVICE\MSSQLSERVER with a SID. What I am trying to work out is, compared to SQL Server 2005, where the account for the service was dropped
into the corresponding group, a service SID is now in the group.
However when I use the cmd>>sc showsid [MSSQLSERVER] the SID displayed does not match the SID assigned to the NT SERVICE\MSSQLSERVER account in the group.
I'm pretty sure I am missing something, I would just like to understand how the correct permissions are assigned to the SQL Server services,
Regards,
Andrew -
LISTENER: Service/SID Aliases
Hi,
I have this db instance that answer correctly to DEVDB from a service DEVDB
Now, I would like to have it accept connection to TESTDB as well.
I know it is possible to use some sort of aliases but not sure how to setup the .ora files
here are the files;
# listener.ora Network Configuration File: /usr/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /usr/app/oracle/product/10.2.0/db_1)
(PROGRAM = extproc)
(SID_DESC =
(GLOBAL_DBNAME = DEVDB.DEV)
(ORACLE_HOME = /usr/app/oracle/product/10.2.0/db_1)
(SID_NAME = DEVDB)
(SID_DESC =
(GLOBAL_DBNAME = DEVDB.DEV)
(ORACLE_HOME = /usr/app/oracle/product/10.2.0/db_1)
(SID_NAME = TESTDB)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
~
# sqlnet.ora Network Configuration File: /usr/app/oracle/product/10.2.0/db_1/network/admin/sqlnet.ora
# Generated by Oracle configuration tools.
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
NAMES.DEFAULT_DOMAIN = DEV
~
# tnsnames.ora Network Configuration File: /usr/app/oracle/product/10.2.0/db_1/network/admin/tnsnames.ora
# Generated by Oracle configuration tools.
#DEV =
# (DESCRIPTION =
# (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
# (CONNECT_DATA =
# (SERVER = DEDICATED)
# (SERVICE_NAME = dev)
DEVDB.DEV =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = DEVDB)
DEVDB.DEV =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = TESTDB)
EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
~each name must be in single quotes and the list is separated by commas.Not necessarily :
SQL> sho parameter service
NAME TYPE VALUE
service_names string
SQL> alter system set service_names='devdb, testdb';
System altered.
SQL> sho parameter service
NAME TYPE VALUE
service_names string devdb, testdb
SQL> alter system set service_names='devdb','testdb';
System altered.
SQL> sho parameter service
NAME TYPE VALUE
service_names string devdb, testdb
SQL>
How can I make this alias work so I can connect to the short name;
testdb and it will connectd by default to the dev domain but if I specify testdb.prod it will go the the production database??Not sure to understand... you'd want to simultaneously use two different domains for the same database ? -
Handling error on service side
We have WCF service implemented in our project and it contains very complicated error handling. Pretty much all methods start with Try\catch block which are catching generic exception. Mean catch all. We would like to rework this service and I was trying
to find some information's about error handling for WCF services. However information's which I found are very confusing. Let's say that we have following OperationContract implementation :
public IEnumerable<string> GetInstanceUids(string seriesInstanceUid)
if (string.IsNullOrEmpty(seriesInstanceUid))
throw new ArgumentException("Given serieInstanceUid can't be null or empty string;");
return myIsaDataProvider.QueryDicomInstances(seriesInstanceUid).ToList();
Now what I found on internet is following statement (or similar). In instances where an unhandled non-FaultException is thrown, one of the following may happen based on the instance management settings of your service. For sessionful services: The session
is terminated, the service instance is disposed and the channel will be in the faulted state, thus the proxy cannot be reused.
This doesn't make much sense to me as base on the MSDN all such exception are automatically converted to FaultException. So in which case code call cal lead to non-FaultException exception type ? Also from my synthetic test (debug environment) I can call
that method many times with null argument and service is still in operational state (it will not refuse to make additional calls). On client side I'm just handling FaultException which will log message.
So main question is. Are code as in our contract going to fault service as such so no further calls will be possible in service instance ? Which mean that all our service methods need to be wrapped in try\catch blocks and swallow all exceptions. Which is
not optimal from performance reasons.thnx for your response, but I don't see how your reply can be marked as answer if it's not answering original question ! Question was if service will be in faulty state.
It wouldn't be in a faulted state if you had learned how to develop a WCF service properly, which would have involved request/response objects and catching the exception properly and returned the response object. Something is causing the service
to crash, and you don't know what it is.
https://msdn.microsoft.com/en-us/library/ff699490.aspx
If you have ever seen or used the Web Service factory that builds the WCF Web service and uses Request/Response objects, you would appreciate the Request/Response objects in play. And there wouldn't have been some kind of generic exceptions where WCF
swallowed the real exception on tossed you back the catch 22 exceptions. It should have never made it to a fault exception. -
I constantly receive the alert <SID>XBD is down. We are not using XDB nor DISPATCHERS, or multi-threaded servers.
At database creation time, from dbca, the parameter DISPATCHERS had a value. Afterwards we created a pfile and removed this parameter and restarted the database. It is now NULL.
I have gone to All Metrics and taken the 'Down' out of server status and the alert went away. (I use this technique with Grid sometimes when it's not catching up to an alert that shold be cleared.)
When I up the 'down' back in to this metric, the alert immediately shows up.
Somewhere Grid is thinking it should be looking for an XDB service and is alerting, but as far as the database is concerned, XDB is not configured.
Does anyone have an idea on where this could be lurking?If I am correct you can edit Key Values for this Metric.
So go to the Database Home Page, select Metric and Policy Settings
Select the Metric "Service Status", press Edit
and add a row for the specific Service and leave both Warning and Critical Threshold empty.
This will automatically introduce a row saying "Others". If you leave the Warning and Critical threshold to it's default value you will endup in the situation where you won't receive an alert for rptwdXDB but you will receive an alert for all other (if the go down)
Regards
Rob
For more information on using OEM GC, you might want to check http://oemgc.wordpress.com -
SAP Service named SAP SID _ Instance Number is missing in services.msc
Hi,
SAP Service named SAP<SID>_<Instance Number> is missing in services.msc
Example :
SID = DM0
Instance Number = 01
SAP Service Name = SAPDM0_01
Please help me to resolve the issue.
Thanks in Advance.
Warm Regards,
SathyaSAPSTARTSRV.EXE
Values :
Operation Selected is "Install Service + Register COM Interface + Start Service"
SID = DM0
NR = 00 or 01
Startprofile = D:\usr\sap\DM0\SYS\profile\START_DVEBMGS01_sapserver
User = DOMAIN\SAPService<SID>
Password = ....
Now the SAP Service, SAP<SID>_<Instance Number> is created in services.msc.
Thanks www.sdn.sap.com
Edited by: Sathya Kala Veeraraj on May 6, 2010 12:12 AM -
Problems invoking a method from a web service
Am using netbeans 6.1 and my problem is when i invoke a method from a web service that has a custom class as a return type.
When I debug the client that consumes my web service, It get Stack in this line:
com.webservice.WebServiceInfoBean result = port.getWebServiceInfo(nameSpace, serviceName, portName, wsdlURL);
i don't get any error on the console.
static public void function1() {
try { // Call Web Service Operation
com.webservice.WebServiceMonitorService service = new com.webservice.WebServiceMonitorService();
com.webservice.WebServiceMonitor port = service.getWebServiceMonitorPort();
// TODO initialize WS operation arguments here
java.lang.String nameSpace = "NameSpaceHere";
java.lang.String serviceName = "WebServicePrueba";
java.lang.String portName = "Soap";
java.lang.String wsdlURL = "http://localhost/Prueba/WebServicePrueba.asmx?wsdl";
// TODO process result here
com.webservice.WebServiceInfoBean result = port.getWebServiceInfo(nameSpace, serviceName, portName, wsdlURL); // <--- here it stack
System.out.println("getWebServiceInfo");
Iterator i = result.getMethods().iterator();
while (i.hasNext()) {
MethodBean method = (MethodBean) i.next();
System.out.print("Nombre: " + method.getname());
System.out.print(" Returns: " + method.getreturnType());
Iterator j = method.getparameters().iterator();
while (j.hasNext()) {
ParameterBean parameter = (ParameterBean) j.next();
System.out.print(" ParameterName: " + parameter.getname());
System.out.print(" ParameterType: " + parameter.gettype());
System.out.print("\n");
System.out.print(method.getfirma());
System.out.print("\n");
System.out.print("\n");
} catch (Exception ex) {
ex.printStackTrace();
}Web Service side
* Web service operation
@WebMethod(operationName = "getWebServiceInfo")
public WebServiceInfoBean getWebServiceInfo(@WebParam(name = "nameSpace")
String nameSpace, @WebParam(name = "portName")
String portName, @WebParam(name = "serviceName")
String serviceName, @WebParam(name = "wsdlURL")
String wsdlURL) throws Throwable {
//TODO write your implementation code here:
webservicemonitor instance = new webservicemonitor();
return instance.getWebServiceInfo(nameSpace, serviceName, portName, wsdlURL);
}I have tested my internal code from the web service side and everything works fine. The problem occurs when i invoke it from a client side. probably I did not made the right serialization form my class WebServiceInfoBean? or am missing something. here it is:
* To change this template, choose Tools | Templates
* and open the template in the editor.
package com.beans;
import java.util.ArrayList;
* @author Tequila_Burp
public class WebServiceInfoBean implements java.io.Serializable {
* Holds value of property wsdlURL.
private String wsdlURL;
* Getter for property wsdlURL.
* @return Value of property wsdlURL.
public String getwsdlURL() {
return this.wsdlURL;
* Setter for property wsdlURL.
* @param wsdlURL New value of property wsdlURL.
public void setwsdlURL(String wsdlURL) {
this.wsdlURL = wsdlURL;
* Holds value of property namespace.
private String namespace;
* Getter for property namespace.
* @return Value of property namespace.
public String getnamespace() {
return this.namespace;
* Setter for property namespace.
* @param namespace New value of property namespace.
public void setnamespace(String namespace) {
this.namespace = namespace;
* Holds value of property serviceName.
private String serviceName;
* Getter for property serviceName.
* @return Value of property serviceName.
public String getserviceName() {
return this.serviceName;
* Setter for property serviceName.
* @param serviceName New value of property serviceName.
public void setserviceName(String serviceName) {
this.serviceName = serviceName;
* Holds value of property wsdlURL.
private String portName;
* Getter for property wsdlURL.
* @return Value of property wsdlURL.
public String getportName() {
return this.portName;
* Setter for property wsdlURL.
* @param wsdlURL New value of property wsdlURL.
public void setportName(String portName) {
this.portName = portName;
* Holds value of property methods.
private ArrayList methods = new ArrayList();
* Getter for property methods.
* @return Value of property methods.
public ArrayList getmethods() {
return this.methods;
* Setter for property methods.
* @param methods New value of property methods.
public void setmethods(ArrayList methods) {
this.methods = methods;
public MethodBean getMethod(int i) {
return (MethodBean)methods.get(i);
}by the way, everything has been worked on the same PC.Hi Paul,
This sound familiar, but I cannot at the moment locate a reference to
the issue. I would encourage you to seek the help of our super support
team [1].
Regards,
Bruce
[1]
http://support.bea.com
[email protected]
Paul Merrigan wrote:
>
I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
Any help would be GREATLY appreciated. -
How to create a service for TAF without LB?
Hi,all:
env: 11.2.0.1 RAC (2 nodes of test6/test7 ,corresponding instance: testrac1/testrac2),db :testrac
I want to create a service to use Service-side TAF ,and also need let some app use rac1 only ,while other app use rac2 only. So I issue the following command:
testrac1: srvctl add service -d testrac -s testsrv -r testrac1 -a testrac2 -P BASIC -y AUTOMATIC -j LONG -e SELECT -m BASIC -z 5 -w 30
srvctl start service -d testrac -s testsrv
create user cxall to test:
create user cxall identified by cxall ;
grant resource,create session,select any dictionary to cxall;
and I add entry in tns:
testrac_11g_staf =
(DESCRIPTION=
(ADDRESS = (PROTOCOL = TCP)(HOST = test6-vip)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = test7-vip)(PORT = 1521))
(CONNECT_DATA=(SERVICE_NAME=testsrv))
on client:
sqlplus cxall/cxall@testrac_11g_staf
select host_name from v$instance;
HOST_NAME
test6
and then I shutdown testrac1 to simulate testrac1 is off service:
srvctl stop instance -d testrac -i testrac1
and then re-execute the above command:
select host_name from v$instance;
It return error.report ORA-03113.
Can not fail over to testrac2!
why ?$>srvctl status service -d testrac -s testsrv
Service testsrv is running on instance(s) testrac1
$>srvctl config service -d testrac -s testsrv
Service name: testsrv
Service is enabled
Server pool: testrac_testsrv
Cardinality: 1
Disconnect: false
Service role: PRIMARY
Management policy: AUTOMATIC
DTP transaction: false
AQ HA notifications: false
Failover type: SELECT
Failover method: BASIC
TAF failover retries: 5
TAF failover delay: 30
Connection Load Balancing Goal: LONG
Runtime Load Balancing Goal: NONE
TAF policy specification: BASIC
Preferred instances: testrac1
Available instances: testrac2
if I stop instance testrac1,
srvctl stop instance -d testrac -i testrac1
$>srvctl status service -d testrac -s testsrv
Service testsrv is not running.
the testsrv service cannot start on instance testrac2 auto,so the client connection will return ORA-12514 due to the testsrv is not running.
I have a doubt why Available instances doesn't effect!
If I use the following :
srvctl add service -d testrac -s testsrv -r testrac1,testrac2 -P BASIC -y AUTOMATIC -j LONG -e SELECT -m BASIC -z 5 -w 30
the TAF will work well.But that may let some connection use testrac2 instance.
So I have such idea:
1.create service
srvctl add service -d testrac -s testsrv -r testrac1,testrac2 -P BASIC -y AUTOMATIC -j LONG -e SELECT -m BASIC -z 5 -w 30
2.
srvctl start service -d testrac -s testsrv
3.
client tns:
testrac_11g_staf =
(DESCRIPTION=
(load_balance=off)
(ADDRESS = (PROTOCOL = TCP)(HOST = test6-vip)(PORT = 1521)) ---I need app only use test6,but also need TAF
(ADDRESS = (PROTOCOL = TCP)(HOST = test7-vip)(PORT = 1521))
(CONNECT_DATA=(SERVICE_NAME=testsrv))
4.
some test script:
in test6:
I make a huge file copy to make the test6 high load.
cat a.sh
count=0
while [ $count -lt 3 ] ;
do
count=`expr $count + 1`
cp *.zip aa
rm -rf aa/*.zip
done
nohup sh a.sh &
test.sh ---a loop shell to test which instance it connect
count=0
while [ $count -lt $1 ] ;
do
count=`expr $count + 1`
sqlplus -s cxall/cxall@testrac_11g_staf<test.sql
done
test.sql
col host_name format a30
select host_name from v$instance;
5.
perform the test:
test6:
sh test6.sh 10000 --- the output is test6
sh a.sh ---make the test6 high load,the tes6.sh output is still "test6"
srvctl stop instance -d testrac -i testrac1 -o abort ---stop testrac1 of test6
---the test6.sh output become to "test7" ,TAF is affect.
srvctl start instance -d testrac -i testrac1 ---restart instance testrac1 of test6 again
---the test6.sh output revert to "test6"
the test indicate the TAF and non-LB all work well. -
WCF service connection forcibly closed by the remote host for large data
Hello ,
WCF service is used to generate excel report , When the stored procedure returns large data around 30,000 records. Service fails
to return the data . Below is the mentioned erorr log :
System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP
response to <service url> This could be due to the service
endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by
the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException:
The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout).
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at IDataSetService.GetMastersData(Int32 tableID, String userID, String action, Int32 maxRecordLimit, Auditor& audit, DataSet& resultSet, Object[] FieldValues)
at SPARC.UI.Web.Entities.Reports.Framework.Presenters.MasterPresenter.GetDataSet(Int32 masterID, Object[] procParams, Auditor& audit, Int32 maxRecordLimit).
WEB CONFIG SETTINGS OF SERVICE
<httpRuntime maxRequestLength="2147483647" executionTimeout="360"/>
<binding name="BasicHttpBinding_Common" closeTimeout="10:00:00" openTimeout="10:00:00"
receiveTimeout="10:00:00" sendTimeout="10:00:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="2147483647" maxBufferPoolSize="0" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647"
maxStringContentLength="2147483647" maxArrayLength="2147483647"
maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="None">
WEB CONFIG SETTINGS OF CLIENT
<httpRuntime maxRequestLength="2147483647" requestValidationMode="2.0"/>
<binding name="BasicHttpBinding_Common"
closeTimeout="10:00:00" openTimeout="10:00:00"
receiveTimeout="10:00:00" sendTimeout="10:00:00"
allowCookies="false" bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard" maxBufferSize="2147483647"
maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647"
messageEncoding="Text" textEncoding="utf-8"
transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas
maxDepth="2147483647"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />Doing binding configuration on a WCF service to override the default settings is not done the sameway it would be done on the client-side config file.
A custom bindng must be used on the WCF service-side config to override the defualt binding settings on the WCF service-side.
http://robbincremers.me/2012/01/01/wcf-custom-binding-by-configuration-and-by-binding-standardbindingelement-and-standardbindingcollectionelement/
Thee readerQuotas and everything else must be given in the Custom Bindings to override any default setttings on the WCF service side.
Also, you are posting to the wrong forum.
http://social.msdn.microsoft.com/Forums/vstudio/en-us/home?forum=wcf -
LV2012 Web Services w/ NI Auth login not working w/ static files in Firefox 19
Hi!
I followed this procedure to password protect my web service and the static files.
http://digital.ni.com/public.nsf/allkb/DF41D5DA8EEB4840862577D90058C208
When testing it out with my web service it seems to work fine on any web browser. http://localhost:8080/add/add/1/2 first will present a login. Once the user is logged in the page refreshes and the results of the operation are shown. http://localhost:8080/logout works as well.
I followed the procedure in the FAQ to include an index.html file.
http://www.ni.com/white-paper/7747/en#toc15
When I try to access the page (via http:localhost:8080/add/web/index.html) I'm greeted with the National Instruments login screen. I enter my credentials and in Chrome and Internet Explorer the screen refreshes and I see my html file. In Firefox it hangs for awhile on the authentication screen and then reloads back to the authenticaiton screen (as if the username and password did not take).
Attached are my files. If you want to try and recreate this please follow this procedure:
* Unzip the attached project to a folder
* Open the project in LabVIEW 2012
* Check the properties of the web service to ensure that the build paths are correct
* Follow the procedure above for setting up NI Auth on your web service and adding the "testpermission2" permission. Be sure to remove "Everyone" from that "testpermission2" or you will never see a login prompt.
* Build/Deploy the web service
* open http://localhost:8080/logout to ensure that you are not currently authenticated
* open http://localhost:8080/add/add/1/2 and login, observe behavior
* open http://localhost:8080/add/web/index.html you should still be logged in so you will see the "Hello World!" just fine
* open http://localhost:8080/logout to log back out
* open http://localhost:8080/add/web/index.html and see if you are able to login.
I've tried disabelling my plugins in Firefox and still have this problem. I'm really scratching my head on how to overcome this other than throwing away NI Auth and use something else. My web service is going to run off of a static front end driven by javascript and html. So the access point will be the html file. I need to have some username and password scheme worked out. I also need to be able to see what user is currently logged in with my Web Service VIs (does anyone know if that is possible with NI Auth)?
The other BIG issue I have with NI Auth is that it requires Silverlight. So much for mobile support, eh? Anyone know of a good plug-and-play alternative so I don't have to reinvent the wheel? I guess I could impliment some kind of token system on my web service side.
In the meantime, getting NI Auth to properly work with Firefox would help.
Thanks for your input,
-Nic
Attachments:
Example Web Service.zip 15 KBDisclaimer: I in no way mean to bash NI and I have used NI Auth myself in the past
If you are going to go to the trouble of abstracting NI Auth, I would recommend instead investing your time in your own authentication scheme (or implementing a standard scheme in LV).
NI Auth is great and works for low security applications where you just don't want people fooling around with your application who shouldn't be.
However, NI Auth is really not that secure. If I remember correctly, the username is transmitted in plain text and I don't think the encryption algorithm is that sophisticated. It is nice that it's already integrated into LV, but there really are very few features at this time.
If you want something to be really secure, you need to take measures beyond what NI Auth provides and before you go to the work of building abstraction on top of a basic and somewhat shaky protocol, I'd seriously consider implementing a more stable base.
<insert 2 cents complete>
Chris
Certified LabVIEW Architect
Certified TestStand Architect -
Change the flow of the BPEL service based on WSDL operation
Hi,
I have a wsdl which has three types on operations:
1) SOAP
2) HTTP GET
3) HTTP POST
I have a BPEL process in which the flow need to be decided on basis of operation of the incoming message... i.e; If it is a SOAP then I should execute a particular flow .. similarly if it is HTTP GET or POST I need to perform different activities flows respectiviely.
1) At the BPEL side can I implement this using PICK activity with different branches for different operations in Receive activity ?? If not, Please let me know any other alternative ...
2) Since I have three different types of Protocols of operations (SOAP, HTTP GET, HTTP POST), how do I give input to BPEL through the same partnerlink ?? Should I use three partner links to invoke a bpel process (at Exposed Services side) to receive input from (two HTTP Adapters for GET, POST and one for SOAP operation) ?
Thanks
Edited by: bpeltechie on Jul 2, 2012 4:01 PMHi,
Can you make one thing clear please - Your bpel process by definition has 3 operations to start with, or you want to call a WS with 3 operations?
See more information on using SOAP header here: http://docs.oracle.com/cd/E23943_01/dev.1111/e10224/bp_manipdoc.htm#CIHFCBAD
If you need to call a WS with 3 operations, you have to use an invoke activity(x3). Meaning, you can:
1. Seperate your process into 3, according to the needed operation. Each process will execute one operation.
2. Use some logic and call the same partner link 3 times(3 invokes), each time with a different operation.
A pick activity will help you when you want to receive one message or more, and/or you want to have time limitation on the receive.
For understanding the pick activity - in your example, let's say the WS you are calling is a bpel process. Then, it will start with a pick activity, and according to the operation, it will execute the right flow.
Arik
Maybe you are looking for
-
I imported new pictures, but they are not in filmstrip. How can I find them?
The import went "normally" but the pix didn't appear in the filmstrip. Yet when I tried to reimport them, LR said they're in the catalogue. Where are they? How do I find them?
-
Accessing Photoshop Elements 10 - Problem ??
For Christmas I received a copy of Photoshop 10 Elements/Premiere. I successfully downloaded Elements & left Premiere until later as I am not yet hooked on video. I played around with Elements 10 to familiarise myself with it & later in the day unins
-
MSN 6.0.3 & MacOS 10.4.10
I see that MSN is now version 6.0.3 universal. Work well with current version of MacOS? Any problems for anyone yet? What better other then being universal? Apple //GS
-
The download asks for Firefox to installed
I tried to install a add on eg. the search engine ixquick. the download asked me to install firefox first before getting the add on downloaded and installed. I tried: 1.) from the site xquick itself (it offers the required plugin) 2.) from the add on
-
How do you send a message from a iPhone to a iPad on iMessage
Hi does anyone know how to send a message to a iPad via iMessage it says you can but doesn't say how