Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000
From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 09/06/04
- Next message: Gerry Hickman: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Previous message: Ivan Brugiolo [MSFT]: "Re: WMI deleting files and emtying recycle bin"
- In reply to: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Next in thread: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Reply: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 6 Sep 2004 11:12:53 -0700
In the IIS6 case, is the impersonated token in the w3wp.exe process
a reference to the token of your logon session, or a kew token created
by a SSPI package with the credentials-materia provided via the browser ?
That would rule out if the first authentication hop has been spent locally
or not.
You can use !thread and !token in KD to cross check the state of things.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Jeff Davis" <scripting-Remove.Please@foundations.com> wrote in message news:ecVa3QDlEHA.1904@TK2MSFTNGP09.phx.gbl... > Gerry, > > Strike the comment about the interactive logon. :) > > That said, I still don't see the need for delegation. It's not required with > 2000, and I don't see why it is with 2003. > > Jeff > > "Gerry Hickman" <gerry1uk@netscape.net> wrote in message > news:%23HepbsClEHA.2948@TK2MSFTNGP11.phx.gbl... > > Hi Jeff, > > > > I don't get it, you say that your script uses "interactive login", but I > > don't see any interactive login in the example you posted, it looks more > > like Impersonation to me? > > > > -- > > Gerry Hickman > > SSRU SysAdmin > > > > "Jeff Davis" <scripting-Remove.Please@foundations.com> wrote in message > > news:u65$oF9kEHA.3432@TK2MSFTNGP14.phx.gbl... > >> Hi all...here's hoping you can help! > >> > >> I've searched and seen several threads about problems with using WMI > > within > >> ASP pages. None of the threads, though, seem to answer my specifc > > questions. > >> So here goes... > >> > >> Take a simple ASP page: > >> > >> ------------Begin Code------------ > >> <% > >> Set objOS = > >> > > GetObject("winmgmts://server1.test.com").InstancesOf("Win32_OperatingSystem" > > ) > >> For Each obj In objOS > >> Response.Write (obj.name) > >> Next > >> %> > >> ------------End Code------------ > >> > >> Slap this on a Windows 2000 Server SP4 running IIS 5, and all is well. > > I've > >> tested it on two servers with no problems. > >> > >> Move the same page to either of 2 2003 servers running IIS 6.0, and I get > >> the infamous error: > >> > >> ------------Begin output------------ > >> SWbemServicesEx error '80041003' > >> Access denied > >> ------------End Output------------ > >> Now, all servers are configured to disallow anonymous authentication, and > > I > >> am indeed being logged into the 2003 servers with an administrative > > account. > >> > >> Note that the same code runs just fine on the 2003 servers as a > >> standalone > >> VBScript. > >> > >> Now, I can make it work by configuring the WMI call to use delegation, > > like > >> so: > >> > >> ------------Begin Code------------ > >> <% > >> Set colProc = > >> > > GetObject("winmgmts:{impersonationlevel=delegate,authority=kerberos:server1} > > !//server1.test.com/root/cimv2").InstancesOf("win32_Process") > >> For Each obj In objOS > >> > >> Response.Write (obj.name) > >> Next > >> %> > >> ------------EndCode------------ > >> > >> So here are my questions: > >> > >> 1. Why? Why must I use delegation with Windows 2003/IIS6 and not with > >> Windows 2000/IIS5? What's different about IIS6 that hosing me so? Why > > would > >> delegation be needed at all (script is initiated on IIS server via > >> interactive logon - thus WMI to remote machine should be a single hop) > >> > >> 2. Is there a way to avoid the need for delegation on 2003? The problem > >> is > >> that I want to have the ASP page be able to hit pre-2000 boxes, which > > aren't > >> going to support Kerberos and delegation. > >> > >> Thanks, > >> > >> Jeff > >> > >> > > > > > >
- Next message: Gerry Hickman: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Previous message: Ivan Brugiolo [MSFT]: "Re: WMI deleting files and emtying recycle bin"
- In reply to: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Next in thread: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Reply: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
