Localized Service Names and How to get around it
- 0
- Add a Comment
Welcome Back! I hope you enjoy the content on this site. If you have not done so already, you may want to subscribe to my RSS feed or become a fan of this blog on Facebook. Thanks for visiting!
A few days ago I got an email from a client that he was getting the following error when using the installer of an application we had developed for them.
Some or all identity references could not be translated.
I should give you guys some background on what the application installer does. The application being installed depends on Sql Express and so after installing it as a prerequisite it proceeds to restore a database from a backup file. To do this the installer needs to give write rights to the SQL Express Service account to the folder where the .mdf and .ldf files would be extracted.
Since The Sql Express service runs as NT AUTHORITYNetwork Service that’s the account that the rights should be given to. The code that does this looks something like:
DirectorySecurity dirSec = Directory.GetAccessControl(dirPath); FileSystemAccessRule fsar = new FileSystemAccessRule("NT AUTHORITYNetwork Service", FileSystemRights.FullControl , InheritanceFlags.ContainerInherit| InheritanceFlags.ObjectInherit , PropagationFlags.None , AccessControlType.Allow); dirSec.AddAccessRule(fsar); Directory.SetAccessControl(dirPath, dirSec);
My first diagnostic was that there machine wasn’t connected to their active directory and wasn’t able to translate the identity to an SID. But as it turns out they didn’t even have active directory and when trying to reproduce the error on a test machine I couldn’t.
After a couple hours of googling and cursing I found out what the issue was, the service names were localize!! why the hell would they do that is beyond me .. but anyway so for example:
NT AUTHORITYNetwork Service becomes AUTORITE NTSERVICE RÉSEAU
Our test machine had an English version of XP on it, while their machines have a French version.
The following table shows service names used by localized version of Microsoft Windows.
| Language | Name for Local Service | Name for Network Service | Name for Local System |
|---|---|---|---|
| English
Simplified Chinese Traditional Chinese Korean Japanese |
NT AUTHORITYLOCAL SERVICE | NT AUTHORITYNETWORK SERVICE | NT AUTHORITYSYSTEM |
| German | NT-AUTORITÄTLOKALER DIENST | NT-AUTORITÄTNETZWERKDIENST | NT-AUTORITÄTSYSTEM |
| French | AUTORITE NTSERVICE LOCAL | AUTORITE NTSERVICE RÉSEAU | AUTORITE NTSYSTEM |
| Italian | NT AUTHORITYSERVIZIO LOCALE | NT AUTHORITYSERVIZIO DI RETE | NT AUTHORITYSYSTEM |
| Spanish | NT AUTHORITYSERVICIO LOC | NT AUTHORITYSERVICIO DE RED | NT AUTHORITYSYSTEM |
| Russian | NT AUTHORITYLOCAL SERVICE | NT AUTHORITYNETWORK SERVICE | NT AUTHORITYSYSTEM |
So to get around this I found a overload of the FileSystemAccessRule that takes an IdentityReference instead of the string representing the account name and now the code looks like this:
SecurityIdentifier si = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid
, null); DirectorySecurity dirSec = Directory.GetAccessControl(dirPath); FileSystemAccessRule fsar = new FileSystemAccessRule(si.Translate(typeof(NTAccount)) , FileSystemRights.FullControl , InheritanceFlags.ContainerInherit
| InheritanceFlags.ObjectInherit , PropagationFlags.None , AccessControlType.Allow);
So now as part of our test battery we have a brand new french windows xp virtual machine 
Hope this helps
- Hatim