Re: Problems with authentication/impersonation

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: andrew_webby at hotmail (andrew_webby_at_hotmail)
Date: 04/06/04 

Date: Tue, 6 Apr 2004 09:10:45 +0100

Morning guys :)

Thanks for all the great assistance with this. I didn't try making the
computer account (that's my 'control' computer yeah, and not the ones that
are being told to install the patch?) enabled for delegation so I'll give
that a go just now.

Scott, yeah all the pieces in the jigsaw are part of the same domain. I have
two domain's I'm trying in, one is Native and the other is Mixed. XP -> XP
and 2k3 -> XP are the platforms I'm trying on at the moment.

Anyway, after a nights sleep, I came up with a workaround, but it's one of
those "well, only if I must deals". Kind of hoped I was past kludges like
this, but hey-ho.

I just drop a batch file on the client's computer, and then spawn my process
with a password passed to it (in clear text over the LAN, but as it's a
lowly non-logonable account that shouldn't matter too much. The patch$ share
is world-readable.).

The batch file looks like this:
@echo off
net use \\server\patch$ /user:DOMAIN\lowly_user %1
dir \\server\patch$>> c:\log.log 2>&1
net use \\server\patch$ /d
echo done>> c:\log.log 2>&1

And that's the job done. I then start my process as "install <password>".

A bit fakey and I cringe at the thought of passing passwords around, but I
should be able to lock it down a bit.

I'll persist on the kerberos option for a while as I can't get my process to
start with the current code and see what comes up.

Out of interest, here's my problem with that:

Dim options = New ConnectionOptions
options.EnablePrivileges = True
options.Authentication = AuthenticationLevel.Call ' (tried them all)
options.Impersonation = ImpersonationLevel.Delegate ' (tried them all, too
:))
options.authority = "Kerberos:DOMAIN\andreww"
options.username = "DOMAIN\andreww" (tried with/without this line)
options.password = txtPassword.Text
Dim scope = New ManagementScope("\\" + pc + "\root\cimv2", options)
scope.Connect() **** FAILS HERE with TARGET INVOCATION EXCEPTION

Dim processClass = New ManagementClass("Win32_Process")
processClass.Scope = scope
Dim inParams = processClass.GetMethodParameters("Create")
Dim startup = New ManagementClass("WIN32_ProcessStartup")
startup.Scope = scopeinParams("CommandLine") = "c:\check.cmd " &
txtPassword.Text
inParams("ProcessStartupInformation") = startup
Dim outParams = processClass.InvokeMethod("Create", inParams, Nothing)
Debug.WriteLine("CreateProcess returned :" +
outParams("ReturnValue").ToString())

The above bit works fine with ImpersonationLevel.Impersonate - it just gets
screwed up when changed to delegate so I'm not sure what's going on there.
Back to the books I think :)

Thanks again for the help guys.

Cheers

AW

"[MS] Scott McNairy" <scotmc@online.microsoft.com> wrote in message
news:4071fe64$1@news.microsoft.com...
> I reviewed most of the thread. Did you enable the computer account that
is
> the WMI Server in Active Directory to be enabled for delegation? Also is
> the file share mentioned a part of this Active Directory or one if it's
> member servers?
>
> The other steps are also required, enabling kerberos authority and
> specifying the delegation on the Impersonation Level.
>
> --
> [MS] Scott McNairy
> WMI Test Engineer
> This posting is provided "As Is" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
> news:%23D77Fm0GEHA.4012@TK2MSFTNGP09.phx.gbl...
> > Andrew,
> > I've done some tests myself, and as far I see this can't work, simply
> > because WMI (actually wmiprvse.exe) launches the command shell (cmd) in
> the
> > security context of the impersonated domain account, but it's logon type
> is
> > 3 (NETWORK), that means its token is obtained by a network logon, so it
> runs
> > without network privileges!
> > Note that Kerberos was used to authenticate the client, but the ticket
> > obtained by WMI is dropped on the floor when he starts another process.
> >
> > PS. I'm not clear as why you see machine$ is used to access the share,
are
> > you sure it's not the Logon session event written when wmiprvse.exe is
> > spawned by svchost.exe?
> >
> > Willy.

Relevant Pages

  • Login Script to Install Printers Based on Computer Group
    ... computer based on what group the computer account was in. ... originally had the printers installed via a login script when the user ... Dim objNetwork, objSysInfo, strUserDN ... Call LoadGroups(objPriObject, objGroup) ...
    (microsoft.public.win2000.active_directory)
  • Re: IIS6 - Integrated Authentication Probs
    ... Computer Account trusted for delegation ... > You must enable delegation for the computer's account ...
    (microsoft.public.inetserver.iis.security)
  • Re: Constrained delegation question!
    ... You should not need to create a new SPN though. ... The HOST/xxx SPNs for the computer account are created automatically when the machine is joined to the domain. ... for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity. ... Active Directory under the delegation tab, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Table does not exist error
    ... I'm only using ADO because I'm used to VBScript programming, ... I have the member server computer account trusted for delegation. ... The user's credentials are used to access the user object and modify ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • computer account mit "remote install"-tab erstellen
    ... wie man einen computer account mit adsi scripting erstellt ist klar. ... Dim objNewMachine ... von AD den "remote install"-karteireiter nicht, weil ja kein GUID angegeben ...
    (microsoft.public.de.german.scripting.wsh)