Service Accounts and BITS

You can use BITS to transfer files from a service. The service must use the LocalSystem, LocalService, or NetworkService system account. These accounts are always logged on; therefore, jobs submitted by a service using these accounts always run.

If a service running under a system account impersonates the user before calling BITS, BITS responds as it would for any user account (for example, the user needs to be logged on to the computer for the transfer to occur). The service should also use dynamic cloaking with the BITS interface pointers when impersonating the user. Cloaking is not inherited, therefore you must call the CoSetProxyBlanket function on each interface pointer that you receive from BITS (for example, the job pointer returned from calling the IBackgroundCopyManager::CreateJob method); it is not enough to set cloaking on the manager interface pointer. You can also call the CoInitializeSecurity function for the process instead of calling the CoSetProxyBlanket function on each interface pointer.

However, if the service does not impersonate the user, the following behaviors apply:

  • Jobs created by the service account are owned by that account. Because system accounts are always logged on, BITS transfers the files as long as the computer is running and there is a network connection.
  • System accounts should not use mapped network drive letters because the drive letters are specific to a session and the mapping may be lost after a computer restart.
  • In the absence of a Helper Token, network authentication uses computer credentials for LocalSystem and NetworkService accounts and anonymous credentials for the LocalService account. BITS returns "access denied" if the access control list (ACL) for the source file limits access to a user account.
  • If a proxy requests user authentication, BITS passes the credentials you specify to the proxy. To specify proxy credentials for a job, call the IBackgroundCopyJob2::SetCredentials method. When calling SetCredentials, specify implicit credentials (see Authentication) and use negotiate as the authentication scheme.

    BITS 1.2 and earlier:  BITS does not support proxy credentials.

  • Microsoft Internet Explorer proxy settings are stored per-user and are not set for system accounts. To set the proxy settings for a job submitted by a system account, call the IBackgroundCopyJob::SetProxySettings method. Alternatively, you can use the /Util /SetIEProxy switches of BitsAdmin.exe to set Internet Explorer proxy settings for the LocalSystem, LocalService, or NetworkService system account. For details, see BitsAdmin Tool.

    Note that BITS does not recognize the proxy settings that are set using the Proxycfg.exe file.