Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WMI remote security Error: 0x80041003

113 views
Skip to first unread message

Saah

unread,
Jan 16, 2004, 7:08:16 AM1/16/04
to
Hi,
I am working on an ASP page using WMI to get some
information about printers installed on a desktop
which works in the same domain.

As I run WSH scripts everything is working fine.
When almost the same code is being run in the asp
page I receive error 0x80041003.
(even browsing with domain admin account)

my connection source code:
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & sHostName & _
"\root\cimv2")

I can easy bypass this problem using WBEM object
and typing the credentials as parameters:
set lctr = CreateObject("WbemScripting.swbemLocator")
Set objWMIService = lctr.ConnectServer(sHostName, _
"Root\cimv2",sDomain & "\" & sUser,sPassword)

It is not a good idea to do so in every script.
My IIS is 5.5 and domain authentification is enabled.
(quick one - respectively)

What sould I do to be able to use winmgmts:// paths?
What am I doing wrong?

--
Saah

[MS] Scott McNairy

unread,
Jan 16, 2004, 8:29:57 PM1/16/04
to
This is a delegation issue. You need to enable delegation (via the computer
object in the Active Directory mmc snapin) on the IIS Server for the WMI
Service on that server to forward your credentials off of that box from your
client (remote computer) this is applicable anytime there are 3 or more hops
on the client server chain. You also need to use Delegation and kerberos
authority instead of using the Impersonate impersonation level (as you have
specified) and the default NTLM authority. Also make sure that you disable
"anonymous" connections on the web server otherwise you will likely be
receiving 80041003 error (wbem access denied) when going to the remote
machine.

--
[MS] Scott McNairy
WMI Test Engineer
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Saah" <Saah@poczta.o_n_e_t.pl_remove_> wrote in message
news:uTAtulC...@TK2MSFTNGP12.phx.gbl...

Saah

unread,
Jan 19, 2004, 2:09:25 AM1/19/04
to
User "[MS] Scott McNairy" wrote:
> This is a delegation issue. You need to enable delegation (via the
computer
> object in the Active Directory mmc snapin) on the IIS Server for the WMI
> Service on that server to forward your credentials off of that box from
your
> client (remote computer) this is applicable anytime there are 3 or more
hops
> on the client server chain. You also need to use Delegation and kerberos
> authority instead of using the Impersonate impersonation level (as you
have
> specified) and the default NTLM authority. Also make sure that you
disable
> "anonymous" connections on the web server otherwise you will likely be
> receiving 80041003 error (wbem access denied) when going to the remote
> machine.

Hi,

Thank You for your reply.
I checked a few things:
- disabled anonymous & simple authentification in IIS
- rechecked in AD U&C that Computer
with IIS have "trust for delegation" enabled
- rewrote the WMI connecionstring:


Set objWMIService = GetObject("winmgmts:" & _

"{impersonationLevel=Delegate,authority=kerberos: & sDomain & \" & _
sHostName & "}!\\" & sHostName & "\root\cimv2")
(http://msdn.microsoft.com/library/en-us/wmisdk/wmi/
connecting_to_a_3rd_computer-delegation.asp)

Now I receive a different error (we have some progress :-):
HTTP 500.100 0x800706D5
So I read these:
http://support.microsoft.com/?id=282189
http://support.microsoft.com/?id=326089
& it did not help me much.
I am stucked once again.
Please help.

--
Saah

[MS] Scott McNairy

unread,
Jan 19, 2004, 1:24:02 PM1/19/04
to
According to this KB article the cause of this error is not using Integrated
Security with Kerberos Authority.
http://support.microsoft.com/default.aspx?scid=kb;en-us;282189

--
[MS] Scott McNairy
WMI Test Engineer
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Saah" <Saah@poczta.o_n_e_t.pl_remove_> wrote in message

news:%23Xuttsl...@tk2msftngp13.phx.gbl...

Saah

unread,
Jan 21, 2004, 1:36:09 AM1/21/04
to
User "[MS] Scott McNairy" wrote:
> According to this KB article the cause of this error is not using
Integrated
> Security with Kerberos Authority.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;282189
>

Thanks for reply,
You are 100% right. The error fits the case.
But the problem is I have only one type of authentification enabled
which is integrated one and I still receive:
Error 0x800706D5 "The security context is invalid"
What else could it be wrong here?
Maybe it is something about security options on the machine of IIS?

--
Saah

[MS] Scott McNairy

unread,
Jan 21, 2004, 1:34:29 PM1/21/04
to
Hmmm, this doesn't look good.

Are all three machines in the sequence Win2k or above? Specifically the
web/wmi client, IIS Server, and the WMI Server? If not can you try this
scenario and let me know the results?

I think the next step would be for me to investigate whether policy has a
setting to disallow enabling delegation on the machine. Or we can simplify
the case above by bypassing IIS altogether.

--
[MS] Scott McNairy
WMI Test Engineer
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Saah" <Saah@poczta.o_n_e_t.pl_remove_> wrote in message

news:uPGedj%233DH...@TK2MSFTNGP12.phx.gbl...

Saah

unread,
Jan 23, 2004, 5:29:13 AM1/23/04
to
User "[MS] Scott McNairy" <sco...@online.microsoft.com> wrote

> Are all three machines in the sequence Win2k or above? Specifically the
> web/wmi client, IIS Server, and the WMI Server? If not can you try this
> scenario and let me know the results?
> I think the next step would be for me to investigate whether policy has a
> setting to disallow enabling delegation on the machine. Or we can
simplify
> the case above by bypassing IIS altogether.
>

Thank You for reply,
My configuration was as follows:
web browser OS: Windows 2000 Server SP3 & Windows XP Professional SP1
web server OS: Windows 2000 Professional SP4
target OS: Windows XP Professional SP1
"Enable computer & user accounts to be trusted for delegation"
on the web server local policy was empty.
What sholud it mean to me?
--
Best regards,
Saah

[MS] Scott McNairy

unread,
Jan 23, 2004, 1:25:15 PM1/23/04
to
In the Active Directory Computers mmc snapin is where you want to enable the
computer account for delegation. I don't believe that you need to trust IIS
specifically for delegation via local policy provided that the computer
account is trusted. Maybe I am wrong though. Does it work if you enable it
in both places? I think at a minimum you should have the computer account
enabled for delegation.

--
[MS] Scott McNairy
WMI Test Engineer
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Saah" <Saah@poczta.o_n_e_t.pl_remove_> wrote in message

news:ep9iAvZ4...@tk2msftngp13.phx.gbl...

0 new messages