Need basic help authenticating remote wmi call from an asp webpage

Need basic help authenticating remote wmi call from an asp webpage

am 02.11.2007 00:49:34 von mark

Hi all,
I am attempting to create a web-page that will check several servers and
verify that the local admin account has been renamed properly. I've written
a .vbs (command file) to do it - I have the necessary rights on each
server - and it works just fine (portion shown below)

My problem is converting it to an asp web page. When I try, I always get a
security failure. I've checked and the page is running under a domain id
with admin rights to the servers. I am assuming its something I just can't
find the answer to, about the way ASP handles security impersonation. Can
someone point me to where I need to look?



Original .vbs code (which works)

Set WmiObjSet = GetObject("winmgmts:\\" & strComputer)
Set colItems = WmiObjSet.ExecQuery ("Select * from Win32_Account)


Code in test.asp which fails with: Permission Denied: 'GetObject'

Response.Write Request.ServerVariables("LOGON_USER")
set IPConfigSet = GetObject("winmgmts://xxxxxxxxxxxx").ExecQuery("SELECT
* from Win32_Account")


Based on some examples on MSDN, I have also tried (with no luck):

set IPConfigSet =
GetObject("winmgmts:{impersonationLevel=impersonate}!//xxxxx xxxxxxx/root/cimv2").ExecQuery("SELECT
* from Win32_Account")

set IPConfigSet =
GetObject("winmgmts:{impersonationLevel=delegate,authority=n tlmdomain:xxxx}//xxxxxxxxxxxx/root/cimv2").ExecQuery("SELECT
* from Win32_Account")


Any help would be greatly appreciated
Mark

Re: Need basic help authenticating remote wmi call from an asp webpage

am 03.11.2007 16:15:54 von Anthony Jones

"Mark" wrote in message
news:8F335599-ADDE-4525-9986-10C3DBEB6CC4@microsoft.com...
> Hi all,
> I am attempting to create a web-page that will check several servers and
> verify that the local admin account has been renamed properly. I've
written
> a .vbs (command file) to do it - I have the necessary rights on each
> server - and it works just fine (portion shown below)
>
> My problem is converting it to an asp web page. When I try, I always get a
> security failure. I've checked and the page is running under a domain id
> with admin rights to the servers. I am assuming its something I just can't
> find the answer to, about the way ASP handles security impersonation. Can
> someone point me to where I need to look?
>
>
>
> Original .vbs code (which works)
>
> Set WmiObjSet = GetObject("winmgmts:\\" & strComputer)
> Set colItems = WmiObjSet.ExecQuery ("Select * from Win32_Account)
>
>
> Code in test.asp which fails with: Permission Denied:
'GetObject'
>
> Response.Write Request.ServerVariables("LOGON_USER")
> set IPConfigSet =
GetObject("winmgmts://xxxxxxxxxxxx").ExecQuery("SELECT
> * from Win32_Account")
>
>
> Based on some examples on MSDN, I have also tried (with no luck):
>
> set IPConfigSet =
>
GetObject("winmgmts:{impersonationLevel=impersonate}!//xxxxx xxxxxxx/root/cim
v2").ExecQuery("SELECT
> * from Win32_Account")
>
> set IPConfigSet =
>
GetObject("winmgmts:{impersonationLevel=delegate,authority=n tlmdomain:xxxx}/
/xxxxxxxxxxxx/root/cimv2").ExecQuery("SELECT
> * from Win32_Account")
>
>
> Any help would be greatly appreciated

You say "I've checked and the page is running under a domain id with admin
rights to the servers". How have you done that?

What happens if you turn off anonymous access and turn on Windows
intergrated then visit the page using the same logon credentials you used in
script testing?

--
Anthony Jones - MVP ASP/ASP.NET

Re: Need basic help authenticating remote wmi call from an asp webpage

am 05.11.2007 16:32:10 von mark

Anthony, thanks for responding.
The website uses Windows integrated authentication and I placed a

Response.Write Request.ServerVariables("LOGON_USER")

in the code, it shows that my id running the page is the domain account with
admin rights over both the webserver and the server I am trying to attach
to.

I'm fairly confident the code is right, if I remove the remote server name
the code runs just fine. I tried the sample code found at
http://msdn2.microsoft.com/en-us/library/aa389395.aspx but it gives the same
error if I try to run it against a remote computer, which implies I have
some kind of environment setting incorrect or I don't have the remoteserver
syntax exactly correct. A missing group from some local security policy or
registry key is my fear.

I created a web.config and added based on
http://support.microsoft.com/kb/307901 but it hasn't helped.

I guess WMI just won't run remotely from inside of a web page - probably a
security thing - and I will have to go back to batch files.

Mark




"Anthony Jones" wrote in message
news:u6UsuxiHIHA.1164@TK2MSFTNGP02.phx.gbl...
> "Mark" wrote in message
> news:8F335599-ADDE-4525-9986-10C3DBEB6CC4@microsoft.com...
>> Hi all,
>> I am attempting to create a web-page that will check several servers and
>> verify that the local admin account has been renamed properly. I've
> written
>> a .vbs (command file) to do it - I have the necessary rights on each
>> server - and it works just fine (portion shown below)
>>
>> My problem is converting it to an asp web page. When I try, I always get
>> a
>> security failure. I've checked and the page is running under a domain id
>> with admin rights to the servers. I am assuming its something I just
>> can't
>> find the answer to, about the way ASP handles security impersonation. Can
>> someone point me to where I need to look?
>>
>>
>>
>> Original .vbs code (which works)
>>
>> Set WmiObjSet = GetObject("winmgmts:\\" & strComputer)
>> Set colItems = WmiObjSet.ExecQuery ("Select * from Win32_Account)
>>
>>
>> Code in test.asp which fails with: Permission Denied:
> 'GetObject'
>>
>> Response.Write Request.ServerVariables("LOGON_USER")
>> set IPConfigSet =
> GetObject("winmgmts://xxxxxxxxxxxx").ExecQuery("SELECT
>> * from Win32_Account")
>>
>>
>> Based on some examples on MSDN, I have also tried (with no luck):
>>
>> set IPConfigSet =
>>
> GetObject("winmgmts:{impersonationLevel=impersonate}!//xxxxx xxxxxxx/root/cim
> v2").ExecQuery("SELECT
>> * from Win32_Account")
>>
>> set IPConfigSet =
>>
> GetObject("winmgmts:{impersonationLevel=delegate,authority=n tlmdomain:xxxx}/
> /xxxxxxxxxxxx/root/cimv2").ExecQuery("SELECT
>> * from Win32_Account")
>>
>>
>> Any help would be greatly appreciated
>
> You say "I've checked and the page is running under a domain id with
> admin
> rights to the servers". How have you done that?
>
> What happens if you turn off anonymous access and turn on Windows
> intergrated then visit the page using the same logon credentials you used
> in
> script testing?
>
> --
> Anthony Jones - MVP ASP/ASP.NET
>
>