RE: Possible Impersonation Issue?
- From: Nos Sedai <NosSedai@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 24 Jun 2005 11:47:02 -0700
Looks like I found the issue, it was with a seImpersonateClient GPO. It all
started when we tried to install SQL Reporting services, which wants the
local IWAM_ServerName account to be able to impersonate. When this GPO is
applied, there are impacts to several services.
> 1. when connecting to DC through compmgmt.msc, connection succeeds, but
> there is an error on opening the Event Viewer "Either a required
> impersonation level was not provided, or the provided impersonation level is
> invalid." This is done when logged in/connecting as a Domain Admin. But
> this happens on only two of the DCs. I can open the Event Viewer on all the
> others.
This can be remedied by adding NETWORK SERVICE and LOCAL SERVICE to the
Impersonate GPO, stopping the Remote Registry service, then de-configure the
service to logon with NT AUTHORITY\LocalService (I just changed it to
NetworkService), click apply, click ok when told the Network Service is
granted the logon as a service right, and start the service. Then, go back
into the service properties, and go through the same exercise to return it to
LocalService. This re-registers the service with the new permissions. Note
that just restarting the service did not achieve the same result.
> 2. WMI scripts that I have used for months started failing on all DCs. I
> have done extensive troubleshooting, from the technet WMI faq. I am
> connecting through DCOM, but all scripted WQL queries fail. Using
> WBEMtest.exe, I can connect remotely, and enumerate classes. I went into WMI
> Security, and gave both the Domain Admins and even myself explicit "full
> control" permissions, and restarted the WMI service, scripts still fail.
> Makes no difference if I run scripts from admin workstation, termed into the
> DC, or logged in to the DC console. Opening WMI control (from the WMI
> Control properties in the MMC) gives Access Denied errors for the
> Win32_Processor and Win32_OperatingSystem. I can configure security locally,
> but not remotely (this is by design ?) I have rebuilt WMI by deleting the
> repository directory, and re-registered the executables and the dlls. No
> help.
This was remedied by putting NETWORK SERVICE in the GPO. When you connect
to WMI, you may authenticate to DCOM as you, but your queries run against WMI
in the NT AUTHORITY\NetworkService context. Found this in one of the WMI
logs, a query by NetworkService kept failing.
> 3. I can no longer connect remotely to the registries on the same 2 DCs as
> in #1 above. Remote Registry service running on both the admin workstation
> and servers.
This was remedied by the fix in no. 1 above.
Hope this helps someone else!
Cheers!
.
- References:
- Possible Impersonation Issue?
- From: Nos Sedai
- Possible Impersonation Issue?
- Prev by Date: Migrating NT File Server to 2003 Enterprise
- Next by Date: Re: No IIS
- Previous by thread: Possible Impersonation Issue?
- Next by thread: RECOVERY THE ADMINISTRATOR PASSWORD
- Index(es):
Relevant Pages
|
Loading
