Need basic help authenticating remote wmi call from an asp webpage

[Mark]

Hi all,
I am attempting to create a web-page that will check several servers and
verify that the local admin account has been renamed properly. I've written
a .vbs (command file) to do it - I have the necessary rights on each
server - and it works just fine (portion shown below)

My problem is converting it to an asp web page. When I try, I always get a
security failure. I've checked and the page is running under a domain id
with admin rights to the servers. I am assuming its something I just can't
find the answer to, about the way ASP handles security impersonation. Can
someone point me to where I need to look?



Original .vbs code (which works)

Set WmiObjSet = GetObject("winmgmts:\\" & strComputer)
Set colItems = WmiObjSet.ExecQuery ("Select * from Win32_Account)


Code in test.asp which fails with: Permission Denied: 'GetObject'

Response.Write Request.ServerVariables("LOGON_USER")
set IPConfigSet = GetObject("winmgmts://xxxxxxxxxxxx").ExecQuery("SELECT
* from Win32_Account")


Based on some examples on MSDN, I have also tried (with no luck):

set IPConfigSet =
GetObject("winmgmts:{impersonationLevel=impersonate}!//xxxxxxxxxxxx/root/cimv2").ExecQuery("SELECT
* from Win32_Account")

set IPConfigSet =
GetObject("winmgmts:{impersonationLevel=delegate,authority=ntlmdomain:xxxx}//xxxxxxxxxxxx/root/cimv2").ExecQuery("SELECT
* from Win32_Account")


Any help would be greatly appreciated
Mark

 

[Anthony Jones]

Hi all,
I am attempting to create a web-page that will check several servers and
verify that the local admin account has been renamed properly. I've written
a .vbs (command file) to do it - I have the necessary rights on each
server - and it works just fine (portion shown below)

My problem is converting it to an asp web page. When I try, I always get a
security failure. I've checked and the page is running under a domain id
with admin rights to the servers. I am assuming its something I just can't
find the answer to, about the way ASP handles security impersonation. Can
someone point me to where I need to look?



Original .vbs code (which works)

Set WmiObjSet = GetObject("winmgmts:\\" & strComputer)
Set colItems = WmiObjSet.ExecQuery ("Select * from Win32_Account)


Code in test.asp which fails with: Permission Denied: 'GetObject'

Response.Write Request.ServerVariables("LOGON_USER")
set IPConfigSet = GetObject("winmgmts://xxxxxxxxxxxx").ExecQuery("SELECT
* from Win32_Account")


Based on some examples on MSDN, I have also tried (with no luck):

set IPConfigSet =
GetObject("winmgmts:{impersonationLevel=impersonate}!//xxxxxxxxxxxx/root/cim
v2").ExecQuery("SELECT
* from Win32_Account")

set IPConfigSet =
GetObject("winmgmts:{impersonationLevel=delegate,authority=ntlmdomain:xxxx}/
/xxxxxxxxxxxx/root/cimv2").ExecQuery("SELECT
* from Win32_Account")


Any help would be greatly appreciated

You say "I've checked and the page is running under a domain id with admin
rights to the servers". How have you done that?

What happens if you turn off anonymous access and turn on Windows
intergrated then visit the page using the same logon credentials you used in
script testing?

 

[Mark]

Anthony, thanks for responding.
The website uses Windows integrated authentication and I placed a

Response.Write Request.ServerVariables("LOGON_USER")

in the code, it shows that my id running the page is the domain account with
admin rights over both the webserver and the server I am trying to attach
to.

I'm fairly confident the code is right, if I remove the remote server name
the code runs just fine. I tried the sample code found at
http://msdn2.microsoft.com/en-us/library/aa389395.aspx but it gives the same
error if I try to run it against a remote computer, which implies I have
some kind of environment setting incorrect or I don't have the remoteserver
syntax exactly correct. A missing group from some local security policy or
registry key is my fear.

I created a web.config and added <identity impersonate="true" /> based on
http://support.microsoft.com/kb/307901 but it hasn't helped.

I guess WMI just won't run remotely from inside of a web page - probably a
security thing - and I will have to go back to batch files.

Mark