Reminders when changing user on ImageVault Core Windows Service

We needed to change the service account user running the ImageVault Core service in my current client’s production environment the other day. Here are a few reminders on what this actually means; that’ll likely also be useful setting up new environments.

Changing user on ImageVault Host Service (MyInstance)

ImageVault Core’s service needs access to your image files

Why does half of my ImageVault images work, but some do not even load? All I get is a 500 from my EPiServer website. Or, ImageVault Core is not generating any log files! Well, ImageVault stores smaller images in it’s SQL database, while larger ones are kept on disk. So if you’ve set up some sort of shared file storage area for your ImageVault images (or Core log files for that matter) rather than keeping them on the local server, chances are you’ll need to look over the access rights.

In other words, the user running the ImageVault Core service will need to have read and write access to your fileshare for this to work.

ImageVault Core’s service needs a URL reservation entry for it’s account

Why do I get a refused connection on the port my ImageVault Core installation uses?

SocketException (0x274d): No connection could be made because the target machine actively refused it 127.0.0.1:9901] System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) +273 System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) +584  

Chances are that you will need to add an URL reservation entry for the account running the service. You can check this by opening up a Windows PowerShell window and running the following netsh command.

netsh http show urlacl

This will hopefully result in something like the following for your ImageVault port, along with the old user; in my environment I’m using 9901.

Reserved URL : https://+:9901/
    User: MyDomain\MyOldUsername
        Listen: Yes
        Delegate: No
        SDDL: D:( ... .... ) 

So, you’ll need to remove the old entry, and add a new one for the proper user.

netsh http delete urlacl url=https://+:9901/
netsh http add urlacl url=https://+:9901/ user=MyDomain\MyNewUsername

Run the show command again to verify. Now your ImageVault Core service ought to be able to set up it’s connections as it should.

ImageVault Core’s service needs access to the RSA Key Container for encrypted connectionStings

If you’re encrypting connectionStrings for ImageVault Core in order to protect your database information, and I don’t see why you wouldn’t, you will also need to grant access rights for your new user to Window’s RSA Key Container.

# AD user account
aspnet_regiis.exe -pa "NetFrameworkConfigurationKey" "MyDomain\MyNewUsername"