VB.NET (2.0) impersonate not working

VB.NET (2.0) impersonate not working

am 17.05.2007 22:33:01 von NathanC

I have a web project that is running this code: (generalized for security)

refWMIService = GetObject("winmgmts:\\computer_name")
colcomputers = refWMIService.ExecQuery("Select * From
Win32_OperatingSystem")
For Each refComputer In colcomputers
If refComputer.reboot() = 0 Then
Response.Write("reboot")
Else
Response.Write("nope")
End If

This is WMI functionality and on the remote computer - the ASPNET account
obviously does not have permission to do this - and I can see Failed Audit
events in the computer security log. So, I have added this bit of code to the
web.config file for the project:

password="password" />

When I rebuild the project and even restart IIS - the call is still hitting
the remote computer as ASPNET account - although my understanding is that
because of the impersonate web.config tag - it should send using the higher
access credentials.

Any thoughts? Thanks,

Re: VB.NET (2.0) impersonate not working

am 18.05.2007 12:49:24 von David Wang

On May 17, 1:33 pm, NathanC wrote:
> I have a web project that is running this code: (generalized for security)
>
> refWMIService = GetObject("winmgmts:\\computer_name")
> colcomputers = refWMIService.ExecQuery("Select * From
> Win32_OperatingSystem")
> For Each refComputer In colcomputers
> If refComputer.reboot() = 0 Then
> Response.Write("reboot")
> Else
> Response.Write("nope")
> End If
>
> This is WMI functionality and on the remote computer - the ASPNET account
> obviously does not have permission to do this - and I can see Failed Audit
> events in the computer security log. So, I have added this bit of code to the
> web.config file for the project:
>
> > password="password" />
>
> When I rebuild the project and even restart IIS - the call is still hitting
> the remote computer as ASPNET account - although my understanding is that
> because of the impersonate web.config tag - it should send using the higher
> access credentials.
>
> Any thoughts? Thanks,



I do not believe WMI security model works that way.

Just because you tell ASP.Net to impersonate a user identity to
execute WMI code, it does not mean that WMI flows the thread-
impersonated user identity across to the other machine. I believe with
WMI you have to give the username/password in code to the WMI
connection itself.

See how to do this with with the IIS6 Administration scripts like
iisback.vbs which shows how to make remote WMI calls using a specified
user credential.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//