Re: WMI in ASP fails on 2003 (err 80041003); works fine on 2000

From: Jeff Davis (scripting-Remove.Please_at_foundations.com)
Date: 09/07/04 

Date: Tue, 7 Sep 2004 16:06:44 -0700

Gerry.

First - sincere apologies for the little typos and things that have made my
part of this conversation so nonsensical. Too many late nights.

Second - I have two production 2000 servers here that process the WMI in ASP
pages with no errors.

Third - I installed a brand-new, clean 2000 server and tried it - I get the
errors you expect.

Fourth - I honestly don't know why it works on the production servers.

Fifth - Any suggestions for a good answer to the problem? I can do
delegation in the ASP page (but that requires 2000 or later target PCs). I
can also simply convert the WMI code to a SCRIPT, and download and execute
it on the client. I'm wondering if you have any other good suggestions.

Thanks,

Jeff

"Gerry Hickman" <gerry1uk@netscape.net> wrote in message
news:%236H6o3LlEHA.3940@tk2msftngp13.phx.gbl...
> Hi Jeff,
>
> The first code example you give, you say that when you run it you get the
> "expected list of processes", but this is unlikely since your code is
> actually enumerating Win32_OperatingSystem.
>
> Still regardless of this, when I run either of your code examples on my
> Win2k network with IISv5 and integrated authentication I get
>
> Error -2147217405
>
> Which translates to "Access Denied".
>
> This is exactly what I'd expect to get, since IIS is not allowed to obtain
> a
> WMI object from a remote computer.
>
> Since it works on your systems, I can only assume you've either hacked
> your
> security OR you've set up delegation? I don't see how it can work
> otherwise
> because it breaks the "two hop" rule (which we all agree can't be broken).
> Are you sure your IISv5 has not been set to run under a domain account?
>
> When you browse to your ASP page, you will begin executing the VBScript as
> an Administrator, but as soon as it gets to the GetObject() call, it will
> try to do a "double hop" and fail.
>
> That's my understanding of it at least.
>
> --
> Gerry Hickman
> SSRU SysAdmin
>
> "Jeff Davis" <scripting-Remove.Please@foundations.com> wrote in message
> news:uMNXOVHlEHA.2680@TK2MSFTNGP15.phx.gbl...
>> Gerry,
>>
>> Let me attempt to clarify.
>>
>> I have two Windows 2000 Servers, SP4, running IIS 5.0. On both, I create
>> a
>> new folder in wwwroot. With the IIS snap-in, I configure the directory to
>> require Integrated Authentication (no anonymous). I drop in an ASP page
> with
>> the following code:
>>
>> <%
>> Set objOS =
>>
> GetObject("winmgmts://server1.test.com").InstancesOf("Win32_OperatingSystem"
> )
>> For Each obj In objOS
>> Response.Write (obj.name) & "<BR>"
>> Next
>> %>
>>
>> I hit the page using a Web browser while logged in with an administrative
>> account. I get the expected list of processes on a remote machine (not
>> the
>> Web server). No problems. Exactly as though I ran the code within a .vbs
>> script.
>>
>> I do exactly the same thing with Windows Server 2003 servers and IIS 6.0,
>> and I get the errors. To avoid the errors, I must rewrite the code so
>> that
>> the WMI script uses delegation to reach the remote machine.
>>
>> <%
>> Set colProc =
>>
> GetObject("winmgmts:{impersonationlevel=delegate,authority=kerberos:server1}
> !//server1.test.com/root/cimv2").InstancesOf("win32_Process")
>> For Each obj In objOS
>>
>> Response.Write (obj.name)
>> Next
>> %>
>>
>> This works, but is a problem if the target machine is pre-Windows 2000.
>>
>> My questions again...
>>
>> 1. Why?
>> 2. How can I avoid it?
>>
>> Thanks,
>>
>> Jeff
>>
>>
>>
>> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
>> news:uZINy%23FlEHA.3988@TK2MSFTNGP14.phx.gbl...
>> > Gerry Hickman wrote:
>> >
>> >> Your example is not very good,
>> >
>> > Sorry, I was getting confused here as you originally mentioned
>> > "interactive login". If your example DOES work without delegation, and
>> > with default IISv5 account (and since it uses impersonation) then I'd
>> > be
>> > somewhat surprised as similar code certainly does not work on my own
> Win2k
>> > IISv5 network - except on the box which is running IIS of course.
>> >
>> > --
>> > Gerry Hickman (London UK)
>>
>>
>
>

Relevant Pages

  • Re: Problem starting windows service from ASP
    ... I mean I need my ASP to start the service of a remote machine. ... it using WMI. ... now I am testing it in Windows 2000. ...
    (microsoft.public.inetserver.iis.security)
  • Re: LSA vs LSP GUI on Vista/2008?
    ... I mentioned WMI because Joe had suggested it in this thread, I will instead post to WMI group about it. ... I was assuming you could remote a call to any class that's part of the base .NET Framework on the remote machine. ... the app that uses the COM object does not need the Admin privileges. ... you need the admin privileges only during the installation. ...
    (microsoft.public.platformsdk.security)
  • Re: WMI Access Denied WIN32_UserAccount Class
    ... I added in the additional ConnectionOptions, ... but rather the WMI security setup on the other machine - I ... >for ConnectionOptions object to remote machine, ... >> domain, String machine, String username, String ...
    (microsoft.public.win32.programmer.wmi)
  • Re: change local admin password on remote computers
    ... Start tthe script remotely on the server, let it eg. mail the results. ... Or place the script on the remote machine, start it over WMI and let the ...
    (microsoft.public.scripting.vbscript)
  • Re: Registy access via WMI in C#
    ... As mentioned before, our existing .asp pages ... Now, OpenRemoteBaseKey doesn't appear to use WMI, so I'm not exactly sure how it ... >> the host where the web exists, ...
    (microsoft.public.dotnet.framework.aspnet.security)