Question - Fabric service (FabricHostSvc) Runs with Network Service ?

[nareshkhatri81]

Team,

is it possible to run FabricHostSvc as Network Service account ?

While configuring Reverse Proxy Certificate today, i followed below link where its mentioned Fabric Process runs with Network SA. Network SA needs to have access to Certificate Private key.

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security Which account does containers runs by default ?

In my env, i am seeing FabricHostSvc runs as Local System Account. not sure if i am missing something.

Below link talks about applications run as but i would like to know default accounts for Fabric Host Svc and Containers ?

https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security

Thanks, Naresh Khatri

[raunakpandya]

Trying to understand your requirement here. Why do you want FabricHostSvc to run under network service account?

[nareshkhatri81]

@raunakpandya

we are trying to make RP secure over https. Service Fabric process needs to have full access to private key. As per this link, SF runs with Network Service Account. so do i need to provide Network Service Account full access to private key or Local System ? https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security

Network service has least privileges then Local System. if SF works with Network Service Account then that is best practice for us.

Thanks, naresh Khatri

[raunakpandya]

FabricHostSvc doesnt access the certificates.. Fabric.exe in case of cluster security accesses the cert which runs as network service. You need to ACL your certificate for Network Service account.

[nareshkhatri81]

@raunakpandya Thanks for clarifying that. do you know what account does service fabric runs the container with ?

Thanks, naresh Khatri