Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Gerry Hickman (gerry1uk_at_netscape.net)
Date: 09/07/04

• Next message: Rhett Gong [MSFT]: "Re: SWbemObjectSet generate error wbemErrFailed = 0 x80041001"
• Previous message: Gops: "How to know the the remote machine is down after calling ExecNotificationQueryAsync"
• In reply to: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
• Next in thread: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
• Reply: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
• Messages sorted by: [ date ] [ thread ]

---

Date: Tue, 7 Sep 2004 10:36:07 +0100

Hi Jeff,

The first code example you give, you say that when you run it you get the
"expected list of processes", but this is unlikely since your code is
actually enumerating Win32_OperatingSystem.

Still regardless of this, when I run either of your code examples on my
Win2k network with IISv5 and integrated authentication I get

Error -2147217405

Which translates to "Access Denied".

This is exactly what I'd expect to get, since IIS is not allowed to obtain a
WMI object from a remote computer.

Since it works on your systems, I can only assume you've either hacked your
security OR you've set up delegation? I don't see how it can work otherwise
because it breaks the "two hop" rule (which we all agree can't be broken).
Are you sure your IISv5 has not been set to run under a domain account?

When you browse to your ASP page, you will begin executing the VBScript as
an Administrator, but as soon as it gets to the GetObject() call, it will
try to do a "double hop" and fail.

That's my understanding of it at least.

-- 
Gerry Hickman
SSRU SysAdmin
"Jeff Davis" <scripting-Remove.Please@foundations.com> wrote in message
news:uMNXOVHlEHA.2680@TK2MSFTNGP15.phx.gbl...
> Gerry,
>
> Let me attempt to clarify.
>
> I have two Windows 2000 Servers, SP4, running IIS 5.0. On both, I create a
> new folder in wwwroot. With the IIS snap-in, I configure the directory to
> require Integrated Authentication (no anonymous). I drop in an ASP page
with
> the following code:
>
> <%
> Set objOS =
>
GetObject("winmgmts://server1.test.com").InstancesOf("Win32_OperatingSystem"
)
> For Each obj In objOS
>     Response.Write (obj.name) & "<BR>"
> Next
> %>
>
> I hit the page using a Web browser while logged in with an administrative
> account. I get the expected list of processes on a remote machine (not the
> Web server). No problems. Exactly as though I ran the code within a .vbs
> script.
>
> I do exactly the same thing with Windows Server 2003 servers and IIS 6.0,
> and I get the errors. To avoid the errors, I must rewrite the code so that
> the WMI script uses delegation to reach the remote machine.
>
> <%
> Set colProc =
>
GetObject("winmgmts:{impersonationlevel=delegate,authority=kerberos:server1}
!//server1.test.com/root/cimv2").InstancesOf("win32_Process")
> For Each obj In objOS
>
>     Response.Write (obj.name)
> Next
> %>
>
> This works, but is a problem if the target machine is pre-Windows 2000.
>
> My questions again...
>
> 1. Why?
> 2. How can I avoid it?
>
> Thanks,
>
> Jeff
>
>
>
> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> news:uZINy%23FlEHA.3988@TK2MSFTNGP14.phx.gbl...
> > Gerry Hickman wrote:
> >
> >> Your example is not very good,
> >
> > Sorry, I was getting confused here as you originally mentioned
> > "interactive login". If your example DOES work without delegation, and
> > with default IISv5 account (and since it uses impersonation) then I'd be
> > somewhat surprised as similar code certainly does not work on my own
Win2k
> > IISv5 network - except on the box which is running IIS of course.
> >
> > -- 
> > Gerry Hickman (London UK)
>
>

---

• Next message: Rhett Gong [MSFT]: "Re: SWbemObjectSet generate error wbemErrFailed = 0 x80041001"
• Previous message: Gops: "How to know the the remote machine is down after calling ExecNotificationQueryAsync"
• In reply to: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
• Next in thread: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
• Reply: Jeff Davis: "Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000 ... With the IIS snap-in, ... For Each obj In objOS ... I get the expected list of processes on a remote machine (not the ... I do exactly the same thing with Windows Server 2003 servers and IIS 6.0, ... (microsoft.public.win32.programmer.wmi) Re: Changing Win2K from mixed to native mode ... > Hi Mark, ... > I don't know of any issues, but you are running Exchange 5.5? ... That server is also running RRAS for the purpose of VPNs to ... > Gerry Hickman ... (microsoft.public.win2000.setup_deployment) Re: Publish Printers and Windows security? ... Users have certan rights in AD to create printQueue objects under computers. ... Windows Server MVP ... "Gerry Hickman" wrote in message ... (microsoft.public.win2000.active_directory) Re: FrontPage to .Net ... You can work with Frontpage and VS.NET on both local drives and also on ... Out on the server or on my hard ... >>Gerry Hickman (London UK) ... (microsoft.public.dotnet.general) User rights assignment? ... service account to a remote machine? ... Gerry Hickman (London UK) ... (microsoft.public.scripting.wsh)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Development  > microsoft.public.win32.programmer.wmi  > 2004-09