Search code examples
node.jswindows-servicesnode-windows

How do to use node-windows with service account?

I am using node-windows to run my node app as a service. Because I intend to use node-expose-sspi I created a service account with powershell (I checked with Test-ADServiceAccount).

If I run this code

var Service = require('node-windows').Service;

// Create a new service object
var svc = new Service({
  name:'project-name',
  description: 'node server',
  script: 'C:\\server\\server.js'
  ,  allowServiceLogon: true
  // ,
  //  env:{
  //  name: "NODE_ENV",
  //  value: "production"
  //   }
});

// Listen for the "install" event, which indicates the
// process is available as a service.
svc.on('install',function(){
  svc.start();
});

// Just in case this file is run twice.
svc.on('alreadyinstalled',function(){
  console.log('This service is already installed.');
});

// Listen for the "start" event and let us know when the
// process has actually started working.
svc.on('start',function(){
  console.log(svc.name+' started!\nVisit http://127.0.0.1:5000 to see it in action.');
});

// Install the script as a service.
svc.install();

I get the console log 'project-name started...' but the service is not created (I checked with get-process). If I omit 'allowServiceLogon: true' the service is created.

How do I specify the service account in node-windows?

Solution

  • Syntax

    node-windows v1.1.8 seems to be using winsw version 2 so you need to set the options according to this xmlConfigFile.md (don't forget the $-sign).

    <serviceaccount>
  <domain>YOURDOMAIN</domain>
  <user>gmsa_account$</user>
  <allowservicelogon>true</allowservicelogon>
</serviceaccount>

    Troubleshoot

    If the service is not created then it is because the gMSA does not have sufficient permissions for a) the npm folder of node-windows (if you installed this globally this should be C:\Users\username\AppData\Roaming\npm, b) the "entry point" of the npm folder (C:\Users\username) and also the folder where your node app.js is (for instance C:\projects\myserverproject). You need at least write permissions. Also, the windows-node log file in the daemon folder (C:\projects\myserverproject\daemon) will not be created! This makes troubleshooting harder. Same goes for the user LocalService, too.

    My recommendation

    If you omit the allowServiceLogon and the other logon-attributes altogether, the service will be created as LocalSystem. LocalSystem has sufficient permissions. Now you can change LocalSystem to the gMSA in the Windows GUI (search for 'services.msc'). If the gMSA not have sufficient permissions, the service will start but stop immediately. Then you can find the error log in the Event Viewer. The error log will tell you which folders you need to add permissions to.

    Event Viewer