Windows Media Connect and Domains

  • Article

A surprising number of people are running domains in their homes.  Windows Media Connect (WMC) can work on a domain joined PC.  Nearly every computer at Microsoft is joined to one of the corporate domains.  That was true of me as well as I worked on WMC. So, I daily streamed music from a domain joined PC from WMC.  However, there are some issues to be aware of with domain joined PCs.

 

For those of you with a domain controller at home, make sure the computer running WMC has been added to the Windows Authorization Access group in Active Directory.  Also, you have to either disable IPSEC on your domain or configure the WMC computer as a boundary machine so that it can communicate with non-IPSEC devices. 

 

For those of you who have a home computer joined to a corporate domain you have less control over your situation.  What I’ve done in this situation is to log in with the local administrator account (a non-domain account) and do my folder sharing from there. 

 

There are two basic problems here that have to be overcome.  The first is simple connectivity.  IPSEC encrypts part of the packets.  There isn’t any shipping Digital Media Receiver (DMR) that I know of that support IPSEC.  So, if you want basic connectivity with a DMR you are going to have to communicate with it without using IPSEC.

 

The second issue that has to be overcome is basic file permissions.  WMC is a service that runs under the NETWORK SERVICE account.  In order to share the files over the network it must have access to them. At service startup it walks through its list of shares and checks to see if the person who shared the files has access.  In the case of the domain joined PC that person is a domain user.  Therefore it must interact with the domain to determine access.  The NETWORK SERVICE account won’t have access to the security information of the user who shared the folder if the machine isn’t added to the Windows Authorization Access Group in Active Directory.  Since the service can’t validate that the user who granted the shares has permission on the files it won’t expose a server. This same situation arises when a Domain Joined PC is disconnected from the domain (as when you bring home a corporate laptop).  The NETWORK SERVICE account can’t communicate with the domain to validate file permissions and therefore it won’t expose a server.