Jaa


Windows Media Connect and Domains

A surprising number of people are running domains in their homes.  Windows Media Connect (WMC) can work on a domain joined PC.  Nearly every computer at Microsoft is joined to one of the corporate domains.  That was true of me as well as I worked on WMC. So, I daily streamed music from a domain joined PC from WMC.  However, there are some issues to be aware of with domain joined PCs.

 

For those of you with a domain controller at home, make sure the computer running WMC has been added to the Windows Authorization Access group in Active Directory.  Also, you have to either disable IPSEC on your domain or configure the WMC computer as a boundary machine so that it can communicate with non-IPSEC devices. 

 

For those of you who have a home computer joined to a corporate domain you have less control over your situation.  What I’ve done in this situation is to log in with the local administrator account (a non-domain account) and do my folder sharing from there. 

 

There are two basic problems here that have to be overcome.  The first is simple connectivity.  IPSEC encrypts part of the packets.  There isn’t any shipping Digital Media Receiver (DMR) that I know of that support IPSEC.  So, if you want basic connectivity with a DMR you are going to have to communicate with it without using IPSEC.

 

The second issue that has to be overcome is basic file permissions.  WMC is a service that runs under the NETWORK SERVICE account.  In order to share the files over the network it must have access to them. At service startup it walks through its list of shares and checks to see if the person who shared the files has access.  In the case of the domain joined PC that person is a domain user.  Therefore it must interact with the domain to determine access.  The NETWORK SERVICE account won’t have access to the security information of the user who shared the folder if the machine isn’t added to the Windows Authorization Access Group in Active Directory.  Since the service can’t validate that the user who granted the shares has permission on the files it won’t expose a server. This same situation arises when a Domain Joined PC is disconnected from the domain (as when you bring home a corporate laptop).  The NETWORK SERVICE account can’t communicate with the domain to validate file permissions and therefore it won’t expose a server.

Comments

  • Anonymous
    February 19, 2006
    How can you get WMC to connect on a Win2K domain? The Windows Authorization Access group does not exist in a Win2K domain.
  • Anonymous
    February 20, 2006
    I don't know what the switch would be on a W2K domain. Basically WMC runs as NTAUTHORITYNETWORK SERVICE on the host machine.  So anything that would inhibit that limitied user account from reading or validating permission on files is going to be a blocker.  You might try sharing out files as a local user.