I have an XP SP3 machine running a service (written by me) that runs as NT AUTHORITY\NETWORK SERVICE in order to access a network share. With filemon.exe I can see this service attempting to OPEN the network share but getting ACCESS DENIED.
The network share is a folder on a Windows Server 2003 SP1 machine, and this folder has share permission = Everyone (read) and NTFS permission = Domain Computers (read + execute + list folder contents). It has no other permissions explicitly granted, but inherits default permissions from C:\. I have verified that the XP machine is a member of Domain Computers.
On the machine sharing the folder I can see Successful Network Logon events from the XP machine.
On the XP machine I see only ACCESS DENIED when my service tries OPEN specific files on that folder.
It feels like I'm missing some vital step but I appear to have run out of SysAdmin clues.
Is there a reason it has to run as Network Service? For security purposes I would create a domain user account, run the service as the domain user, and assign the necessary permissions to the user.
That does sound like it should work. I would try 1) Impersonate a normal domain user account for the network access instead of network service. This will check that your impersonation is working and is valid for network resources. 2) Change the share and NTFS permissions to explicitly grant access (probably start by granting full control) to the specific computer account that you are testing this on.
Give this a go and update your question with how you get on. Might give us a bit more of an idea about the problem.
If it starts to look like a problem with your call to LogonUser then you might get a better response on StackOverflow.
I have had odd problems in the past when trying to get computers to authenticate properly as network service. I normally work around the problem now by using a domain account that has been granted the exact permissions required for the task.
DOMAIN\machinename$
The network service account appears as this when conencting/authenticating to other servers
I know this works because I have a web server app pool using network service that connects to a SQL Server with the dollar account.
Edit: have you ever tried to search google for "machinename$"... aarrgghh.