netsh, Windows 2003 and httpcfg

In a previous article, I talked about working with HttpListener. Remember: HttpListener uses http.sys. It’s necessary to tell http.sys that a process & user should be allowed to listen to a certain port before that process starts listening. This is called ‘url reservation’.

In Windows Vista and Windows server 2008, the way to do url reservation is with netsh.exe. My development workstation is Windows 7, so I used netsh.exe to get things working locally. And of course – I thought that I could use netsh.exe anywhere I needed to use HttpListener. I was so wrong.

Older machines use httpcfg.exe for port reservation

Much to my surprise netsh doesn’t work the same way on all machines. At my workplace we have Windows 2003 servers for QA, staging and production. I discovered (the hard way) that I can’t use netsh.exe to do my url/port reservation – I have to use something called httpcfg.exe. The syntax is deceptively similar:

httpcfg.exe set urlacl /u http://+:9001/ /a D:(A;;GX;;;NS)

Just like netsh.exe, I can specify the url/port to listen to, but the user assigned to that reservation is specified using SDDL - which is very cryptic. See that D:(A;;GX;;;NS) in the example, above? That’s actually saying ‘give permission to the NETWORK SERVICE user’. Yeah. Cryptic.

To make life a little easier and help find the SDDL representation of the NETWORK SERVICE user, I used a handy tool called HttpCfg ACL helper. That tool generates the httpcfg syntax that I needed – including the SDDL.