Getting named pipes working on Windows Server 2008

by Christoph Herold 24. Januar 2011 15:43

I spent the last few weeks working on a server application that uses named pipes. It worked well on the development and test systems, but when deploying to the staging environment, the named pipe server seemed to stop working. It did not quit out on me, though. The code was under the impression of having opened the named pipe server, but no clients were able to connect to the server. When checking with process explorer, the named pipes were not shown in the process' handles.

During my search I came across the following page, that pretty much describes the problem I was having: On it, several solutions are given, but most of them use the Windows API and not .NET. After trying a few things and looking at the named pipes examples of the All-in-one Code Framework on Codeplex, I finally managed to get things working. The important part is the PipeSecurity object passed into the NamedPipeServerStream constructor. I got the access rules from the All-in-one Code Framework, but the magic line is the SetSecurityDescriptorSddlForm code. It is also necessary to have this line BEFORE setting the access rights, as otherwise I got no change in the behavior.

PipeSecurity pipeSecurity = new PipeSecurity();

// Set to low integrity level

// Allow Everyone read and write access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Authenticated Users",
    PipeAccessRights.ReadWrite, AccessControlType.Allow));

// Allow the Administrators group full access to the pipe.
pipeSecurity.SetAccessRule(new PipeAccessRule("Administrators",
    PipeAccessRights.FullControl, AccessControlType.Allow));

using (this.namedPipe = new NamedPipeServerStream(pipeName,

I guess anyone would have come up with the "S:(ML;;NW;;;LW)" string to pass into the method. It seems straightfoward enough :-)

Well, anyways, if you encounter a similar problem, I hope this saves you some time. And for all of you who want the explanation of that string, just head on over to the msdn documentation: and The S: tells us, that we're dealing with an SACL, ML stands for SDDL_MANDATORY_LABEL, no flags are given, NW means SDDL_NO_WRITE_UP, we then skip two object guids, and last but not least the LW is the account sid for SDDL_ML_LOW, which means "low level integrity". I think, to really get to the bottom of this, I need to learn a heck of a lot more about the windows security mechanisms. But for now, I'm just glad it works at all :-)

Tags: ,


Month List

Impressum (for the Germans)

Christoph Herold

Dieses Weblog wird bereitgestellt und verwaltet durch

Christoph Herold
Ignaz-Semmelweis-Str. 37
41540 Dormagen

Sie erreichen mich unter