WMI in ASP fails on 2003 (err 80041003); works fine on 2000

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Jeff Davis (scripting-Remove.Please_at_foundations.com)
Date: 09/06/04 

Date: Sun, 5 Sep 2004 22:21:47 -0700

Hi all...here's hoping you can help!

I've searched and seen several threads about problems with using WMI within
ASP pages. None of the threads, though, seem to answer my specifc questions.
So here goes...

Take a simple ASP page:

------------Begin Code------------
<%
Set objOS =
GetObject("winmgmts://server1.test.com").InstancesOf("Win32_OperatingSystem")
For Each obj In objOS
    Response.Write (obj.name)
Next
%>
------------End Code------------

Slap this on a Windows 2000 Server SP4 running IIS 5, and all is well. I've
tested it on two servers with no problems.

Move the same page to either of 2 2003 servers running IIS 6.0, and I get
the infamous error:

------------Begin output------------
SWbemServicesEx error '80041003'
Access denied
------------End Output------------
Now, all servers are configured to disallow anonymous authentication, and I
am indeed being logged into the 2003 servers with an administrative account.

Note that the same code runs just fine on the 2003 servers as a standalone
VBScript.

Now, I can make it work by configuring the WMI call to use delegation, like
so:

------------Begin Code------------
<%
Set colProc =
GetObject("winmgmts:{impersonationlevel=delegate,authority=kerberos:server1}!//server1.test.com/root/cimv2").InstancesOf("win32_Process")
For Each obj In objOS

    Response.Write (obj.name)
Next
%>
------------EndCode------------

So here are my questions:

1. Why? Why must I use delegation with Windows 2003/IIS6 and not with
Windows 2000/IIS5? What's different about IIS6 that hosing me so? Why would
delegation be needed at all (script is initiated on IIS server via
interactive logon - thus WMI to remote machine should be a single hop)

2. Is there a way to avoid the need for delegation on 2003? The problem is
that I want to have the ASP page be able to hit pre-2000 boxes, which aren't
going to support Kerberos and delegation.

Thanks,

Jeff

Relevant Pages

  • WMI and delegation
    ... I'm trying to use delegation to read remote computer data with WMI from ... DC2: ... DC1 has "Trust computer for delegation" enabled. ... , ASP page code below. ...
    (microsoft.public.win32.programmer.wmi)
  • ASP and WMI
    ... I need to manage users on two w2000 servers simultaneously via a secured ASP ... id and password in order WMI to actually spawn the process. ...
    (microsoft.public.windows.server.scripting)
  • Re: content static for 24hrs
    ... if data found the html page is created ... Writing each hit to a database is what springs to my mind. ... The are single purpose servers. ... Would upgrading your servers and writing standard ASP be an acceptable ...
    (microsoft.public.inetserver.asp.db)
  • Re: RDNS LOOPING
    ... Are these you two name servers? ... the delegation, and if you don't see an improvement, you simply just remove ... is how most reverse delegations work. ... 174419 - HOWTO Configure a Subnetted Reverse Lookup Zone on Windows NT, ...
    (microsoft.public.windows.server.dns)
  • Re: RDNS LOOPING
    ... >> servers properly refers to my DNS for a reverse lookup and the other ... > I assume this is a straight delegation instead of a Cname delegation, ... > is how most reverse delegations work. ... > 174419 - HOWTO Configure a Subnetted Reverse Lookup Zone on Windows NT, ...
    (microsoft.public.windows.server.dns)