C# NamedPipe over network throws UnauthorizedAccessException on client connect

Question

I have a client and a NamedPipe server. The client and the server run on distinct Windows services. On the same machine the connection works perfectly. But when attempting to access the server from another machine, an exception of type UnauthorizedAccessException is thrown (access is denied). I researched several posts and included AccessRules on the server, but it did not work. The client machine user does not exist on the server machine. Is there a specific / AccessRule setting for this case? Does anyone know the solution?

Server:

private NamedPipeServerStream _setupServer;

PipeSecurity ps = new PipeSecurity();
//Everyone
ps.AddAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), PipeAccessRights.ReadWrite, AccessControlType.Allow));
//Users
ps.AddAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), PipeAccessRights.ReadWrite, AccessControlType.Allow));
//SYSTEM
ps.AddAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), PipeAccessRights.FullControl, AccessControlType.Allow));

using (_setupServer = new NamedPipeServerStream(typeof(ISetupClient).Name, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message, PipeOptions.None, 4024, 4024, ps))
{
     this._setupServer.WaitForConnection();
     //...
}

Client:

string ipServidor = "192.168.40.155";
using (var setupClient = new NamedPipeClientStream(ipServidor, typeof(ISetupClient).Name, PipeDirection.InOut, PipeOptions.None))
{
    int timeOut = 10;
    setupClient.Connect(timeOut);
    //...
}

Answer 1

I don't know why this question was downvoted - I corrected that.

I tested this in my lab on two Win 7 machines with different users.

The remote named pipes in Windows are over SMB / CIFS. So normal logon restrictions apply.

I was able to get this to run successfully if I changed in the local security policy:

Security Options

Accounts: Guest account status – change to Enabled

User Rights Assignment

Deny access to this computer from the network - remove "Guest"

Warning

This is not a good idea to do this. I only did the changes to verify this and changed them back immediately.

There is also an option in the local security policy for adding named pipes which can be accessed anonymously, but this didn't work in my case. One had to investigate into this.

In my opinion, using named pipes for un-authenticated access is not the best solution. Normally, I prefer authenticated connections, but in my case most of my development is in an corporate intranet with all machines in an Active Directory environment with AD users, so this is easy.

Perhaps you can use the old trick of using the same user name with the same password on both machines, this will work without the above mentioned policy changes.