Highlighted
Absent Member.
Absent Member.
1506 views

[archive] Running AcuLauch service as a user

[Migrated content. Thread originally posted on 09 January 2004]

Is it possible to run AcuLauch (the thin client server) as a specific user instead of the System Account? I've tried doing it, even as Administrator, and I cannot get it to work.

Here's my problem. I need the clients to be able to run a program through AcuLaunch without typing a password and I don't want to set up each client/user in the AcuAccess file.

This is not a problem - I can get this to work (with the AcuLauch service running in the System Account).

However, I need to run a program that needs to access a Microsoft SQL Server database. The SQL Server is on another system and is configured for "Integrated Security" only - which means the client needs to have network credentials. But since the runtime started by AcuLauch is running as "SYSTEM", which has no network credentials, the program cannot access the database when run through AcuLaunch.

Running AcuLaunch as a specific user would solve this - or are there any other suggestions? (The configuration of SQL Server cannot be changed to allow "SQL Server" security also because of security concerns.)
0 Likes
8 Replies
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

You can do this, but you cannot do this from the command line, nor the configuration interface.

You have to go to the control panel, services management, find the Aculaunch service there (assuming it is installed), then rightclick and select properties from the pop up menu. You will now get a window in which among other things you can also decide in which security context AcuLaunch should run (e.g. user).
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

I know how to change the login user on the service (I've written several services myself), but when I do that on the AcuRCL service, I can no longer start any thin clients. I set the service back to use the System Account, and then I can start the clients.

I'll get the logs and post them.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

If you are inhibited from launching client processes, it seems as if the user context you run AcuLaunch in does not have sufficient privileges. What privileges does your alternate user have on the AcuLaunch server? (e.g. which user group?)
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

I used the Administrator login to run the AcuLaunch service.

There are some privileges that even Administrator does not have in Windows (that the System Account does have) so I was asking whether or not it should be able to work as a non-System Account. (Because it does not for me.)

I should have some time today to get more details.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

Actually, one thing I said in my previous post is not correct.

The problem is not that I cannot start any thin clients when the AcuLaunch service is running as Administrator.

The problem is that the AcuLaunch service *itself* will not start when I specify another user (other than System Account) in the service setup.

When I specify the user such as domain\Administrator (and enter the correct password), when I start the service, the progress bar gets about half way across and then I get the error:

Could not start the AcuRCL 6.0.0 on the default port (5632) service on the Local Computer

Error 1053: The service did not respond to the start or control request in a timely fashion.

When I look at the Task Manager, acurcl.exe is not running.

If I switch back to the System Account, the service starts.

Is there a way to get trace information from when the service starts? I modified the StartupArguments registry entry to use "-le C:\temp\acurcl.log -t 2", but nothing gets written to acurcl.log. (I've tried it with and without the StartupArguments, so it is not a problem with writing to the acurcl.log file.)
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

Interesting, I have no reason to believe this should be. I suggest you report this to Technical support.
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

Starting AcuRCL as a particular user is a feature of a future version. See the ecn list for more details, or contact tech support. But if you start AcuRCL as a particular user, you will need to start multiple copies of AcuRCL for each user you want to be able to access SQL Server. This is probably not really what you want.

Starting AcuRCL as the LOCAL SYSTEM account, and using NT-SECURITY of LOGON, does require the user to enter a password. But it has the end result of the runtime that is started to be started in the context of the user who supplied the password. From this point, you should be able to access SQL Server without supplying a username/password, because of the context that the runtime is executing in. This is the purpose of that AcuRCL config variable.

We have not yet discovered a way of using NT-SECURITY in a way that starts a runtime in the context of the appropriate user, but which also does not require a password to be entered. I'm not sure there is such a way - when I use Windows Terminal Services client to log on to a Windows server, I must supply my password. If there was a way to automatically log on, don't you think Microsoft would be able to provide it? (That's a rhetorical question.)
0 Likes
Highlighted
Absent Member.
Absent Member.

RE: [archive] Running AcuLauch service as a user

That is what I want - my goal was to run AcuRCL as a specific user and all users starting thin clients would get a runtime running as that particular user. Right now, that is SYSTEM, but I want it to be some user other than SYSTEM, since SYSTEM does not have access to the SQL Server.

What I would like to do is create a user just for AcuRCL and give it appropriate permissions and have all runtimes through AcuRCL run as that user.

The thin client is being kicked off from a web page on an intranet web server. The user has already been authenticated, so I don't want them to have to enter their password again.

In Windows, you cannot impersonate another user without supplying that user's password, so what you referenced in your last paragraph is not possible. Windows doesn't have a facility like the Unix "setuid" where a privileged process can become another user (without a password). So if you want to vary the user for each client, it's not possible without asking for the password.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.