Problem with WMI on remote system with identity different from that of calling process
James Antognini
wbemtest. I can do this even when I am logged in with a non-admin id, if in wbemtest I specify an admin id/password. I am,
however, having trouble doing getting the data remotely in a program of my own if I run the program under a non-admin id and
specify id/password to the program. Both systems are WinXP Pro SP1. Code is below (error handling removed).
// First parm is program name. Second is system name, eg, AntogniniHome2. Third is userid. Fourth is password.
IWbemLocator * pLocator;
IWbemServices * pServices = NULL;
IClientSecurity * pSecurity = NULL;
BSTR in,
WMIRoot = NULL,
bUserid,
bPassword;
DWORD AuthnSvc,
AuthzSvc,
AuthnLevel,
ImpLevel,
Capabilities;
RPC_AUTH_IDENTITY_HANDLE pAuthHndl = NULL;
WCHAR * pServerPrinName = NULL;
COAUTHIDENTITY AuthIdentity;
HRESULT hr = CoInitializeEx(NULL, // Initialize COM environment for multi-threaded concurrency.
COINIT_MULTITHREADED
);
hr =
CoInitializeSecurity( // Initialize security.
NULL,
-1,
NULL,
NULL,
RPC_C_AUTHN_LEVEL_PKT,
RPC_C_IMP_LEVEL_IMPERSONATE,
NULL,
EOAC_NONE,
0
);
hr = CoCreateInstance( // Create uninitialized object associated with class id CLSID_WbemLocator.
CLSID_WbemLocator,
NULL,
CLSCTX_INPROC_SERVER,
IID_IWbemLocator,
(PVOID*)&pLocator
);
if (2<=nbrArgs) // System specified?
{ // Build root qualified by system, eg, '\\MyComputer\root\WMI'.
hr = VarBstrCat(_bstr_t(L"\\\\"), _bstr_t(pArgv[1]), &in);
}
else
WMIRoot = SysAllocString(L"\\root\\WMI");
if (4==nbrArgs) // Userid and password specified?
{
bUserid = SysAllocString(pArgv[2]);
bPassword = SysAllocString(pArgv[3]);
}
else
{
bUserid = NULL; // Use identity inherited from process.
bPassword = NULL; // "
}
hr = pLocator->ConnectServer( // Connect to the WMI server on this computer and, possibly, through it to another
system.
WMIRoot,
_bstr_t(pArgv[2]),
bPassword,
NULL,
0,
NULL,
NULL,
&pServices
);
hr = pServices->QueryInterface( // Get an interface pointer for the IWbemServices object.
IID_IClientSecurity,
(PVOID*)&pSecurity
);
AuthIdentity.User = pArgv[2];
AuthIdentity.UserLength = wcslen(pArgv[2]);
AuthIdentity.Domain = NULL;
AuthIdentity.DomainLength = 0;
AuthIdentity.Password = pArgv[3];
AuthIdentity.PasswordLength = wcslen(pArgv[3]);
AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
hr = pSecurity->SetBlanket( // Change authentication information for proxy.
pServices,
AuthnSvc,
AuthzSvc,
pServerPrinName,
AuthnLevel,
ImpLevel,
&AuthIdentity,
Capabilities
);
hr = CoQueryProxyBlanket(pServices, &AuthnSvc, &AuthzSvc, &pServerPrinName, &AuthnLevel, &ImpLevel, &pAuthHndl, &Capabilities);
printf("AuthnSvc = 0x%08x, AuthzSvc = 0x%08x, ServerPrinName = %S, AuthnLevel = 0x%08x, ImpLevel = 0x%08x, pAuthHndl = 0x%08x,
Capabilities = 0x%08x\n",
AuthnSvc, AuthzSvc, pServerPrinName, AuthnLevel, ImpLevel, pAuthHndl, Capabilities);
IEnumWbemClassObject * pEnum;
hr = pServices->CreateInstanceEnum(
_bstr_t(pClassName),
WBEM_FLAG_SHALLOW |
WBEM_FLAG_RETURN_IMMEDIATELY |
WBEM_FLAG_FORWARD_ONLY,
NULL, // No context.
&pEnum // Output enumerator.
);
hr = pEnum->Next(
WBEM_INFINITE, // Block until result is returned.
nbrObjsSought, // Number of objects requested.
&pInstance, // Address of IWbemClassObject interface pointer returned.
&nbrObjsReturned // Number of objects returned.
);
Everything is fine if I run this on a system remote from the WDM driver and run it when I am logged in as an administrator. If,
however, I specify another admin's id/password, I get WBEM_E_ACCESS_DENIED on pEnum->Next(); and if I am logged in as a non-admin
and specify an admin userid/password, I get WBEM_E_ACCESS_DENIED on pServices->CreateInstanceEnum.
Ideas?
--
If replying by e-mail, please remove "nospam." from the address.
James Antognini
Windows DDK MVP
James Antognini
Some output from CoQueryProxyBlanket/printf that I didn't show:
AuthnSvc = 0x0000000a, AuthzSvc = 0x00000000, ServerPrinName = NT AUTHORITY\SYST
EM, AuthnLevel = 0x00000004, ImpLevel = 0x00000003, pAuthHndl = 0x0012feec, Capa
bilities = 0x00000001
James Antognini wrote:
> Everything is fine if I run this on a system remote from the WDM driver and run it when I am logged in as an administrator. If,
> however, I specify another admin's id/password, I get WBEM_E_ACCESS_DENIED on pEnum->Next(); and if I am logged in as a non-admin
> and specify an admin userid/password, I get WBEM_E_ACCESS_DENIED on pServices->CreateInstanceEnum.
--
Ivan Brugiolo [MSFT]
did you set the REMOTE_ENABLE bit in the AccessMAsk
of the ACE for your non-admin Principal in the security descriptor of the
root\WMI namespace ?
Other than that, you may want to set the blanket in the
IEnumWbemClassObject interface pointer as well, give the way you've
structured the code.
On average, I would recomend doing a CoQueryProxyBlanket
on the IWbemServices pointer returned from the ConnectServer,
and then I would "echo-back" those settings on the "derived" interface
pointers.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"James Antognini" <anto...@mindspring.nospam.com> wrote in message
news:3FC415F3...@mindspring.nospam.com...
James Antognini
everything worked the way I want. Thanks.
"Ivan Brugiolo [MSFT]" wrote:
> Other than that, you may want to set the blanket in the
> IEnumWbemClassObject interface pointer as well, give the way you've
> structured the code.
--