Re: Ex2007 EVS on Windows 2008
- From: Nick Burkitt <nick.burkitt@xxxxxxxxxxxxxxxxx>
- Date: Fri, 24 Oct 2008 09:39:01 -0700
Thanks again, Jialiang. I look forward to the results of your research.
--
-Nick
"Jialiang Ge [MSFT]" wrote:
Hello Nick,.
This is a quick note to let you know that I'm performing researches to see
if it's possible to query the requested encryption of a WMI namespace. Two
ideas come to my mind at the moment:
1. If the WMI namespace to be queried is known ahead of time, and if we have
the access to the remote computer's file system to check the mof files (see
my first reply for mof files), I think we can decide PktPrivacy / Pkt
directly according to the RequiresEncryption setting.
2. An error-and-try strategy may also be helpful. For example, we first use
the default authentication level. If Access Denied is returned which means
that the target requests encryption, we then use PktPrivacy.
I will be back as soon as possible.
Regards,
Jialiang Ge
Microsoft Online Community Support
=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
"Nick Burkitt" <nick.burkitt@xxxxxxxxxxxxxxxxx> wrote in message
news:B448E2DE-A602-498D-8C77-BF5E3E915751@xxxxxxxxxxxxxxxx
Hi Jialiang.
Thanks for the prompt reply. I agree that it will be necessary to change
the authentication level to PKT_PRIVACY. The problem remains how to know
when this will be required. I don't want to incur the overhead of
encrypting
every WMI connection, and since the server requests authn level PKT,
rather
than PKT_PRIVACY when connecting, I need some way to know that the server
has
negotiated a value that it will not accept.
Any thoughts?
Thanks,
-Nick
""Jialiang Ge [MSFT]"" wrote:
Good morning Nick, thank you for using Newsgroup support service! My name
is Jialiang Ge [MSFT]. It's my pleasure to work with you on this issue.
You have a very sharp and acute observation that this ACCESS_DENIED
problem
is possibly caused by the requested Authentication level: PKT_PRIVACY. A
relevant MSDN article is:
Requiring an Encrypted Connection to a Namespace
http://msdn.microsoft.com/en-us/library/aa393068(VS.85).aspx
In Windows 2008 C:\Windows\System32\Wbem\ClusWmi.mof for the
\\.\Root\MSCluster namespace, I see [RequiresEncryption]:
#pragma namespace("\\\\.\\Root\\MSCluster")
[RequiresEncryption]
Instance of __systemSecurity
{
};
Therefore, it requires encrypted connection. WMI rejects a client that
uses
the Default authentication level because DCOM negotiates the security to
the level required by the SVCHOST process in which the WMI service is
running. I think that there are basically two solutions for your
reference:
1. Change the Default Authentication Credential to
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
Using C++:
http://msdn.microsoft.com/en-us/library/aa393617(VS.85).aspx
Using VBScript:
http://msdn.microsoft.com/en-us/library/aa393618(VS.85).aspx
2. Modify the ClusWmi.mof file to not require Encryption. (though I feel
it's not very recommended)
Open ClusWmi.mof and change
[RequiresEncryption]
to
[RequiresEncryption(FALSE)]
Then run "mofcomp.exe ClusWmi.mof" from the folder.
Please try the solutions and let me know whether they are helpful to you
or
not. If you have any other questions or concerns, feel free to tell me.
Have a very nice day!
Regards,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.
Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://support.microsoft.com/select/default.aspx?target=assistance&ln=en-us.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
- Follow-Ups:
- Re: Ex2007 EVS on Windows 2008
- From: "Jialiang Ge [MSFT]"
- Re: Ex2007 EVS on Windows 2008
- References:
- Ex2007 EVS on Windows 2008
- From: Nick Burkitt
- RE: Ex2007 EVS on Windows 2008
- From: "Jialiang Ge [MSFT]"
- RE: Ex2007 EVS on Windows 2008
- From: Nick Burkitt
- Re: Ex2007 EVS on Windows 2008
- From: Jialiang Ge [MSFT]
- Ex2007 EVS on Windows 2008
- Prev by Date: Re: Connect by WMI to a remote stand-alone computer(doesn't belong to any domain)
- Next by Date: Re: Connect by WMI to a remote stand-alone computer(doesn't belong to any domain)
- Previous by thread: Re: Ex2007 EVS on Windows 2008
- Next by thread: Re: Ex2007 EVS on Windows 2008
- Index(es):
Relevant Pages
|
