|
Home > Archive > IIS Server Security > May 2007 > VB.NET (2.0) impersonate not working
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
VB.NET (2.0) impersonate not working
|
|
| NathanC 2007-05-17, 7:18 pm |
| I have a web project that is running this code: (generalized for security)
refWMIService = GetObject("winmgmts:\\computer_name")
colcomputers = refWMIService.ExecQuery("Select * From
Win32_OperatingSystem")
For Each refComputer In colcomputers
If refComputer.reboot() = 0 Then
Response.Write("reboot")
Else
Response.Write("nope")
End If
This is WMI functionality and on the remote computer - the ASPNET account
obviously does not have permission to do this - and I can see Failed Audit
events in the computer security log. So, I have added this bit of code to the
web.config file for the project:
<identity impersonate="true" userName="subdomain.domain.com\username"
password="password" />
When I rebuild the project and even restart IIS - the call is still hitting
the remote computer as ASPNET account - although my understanding is that
because of the impersonate web.config tag - it should send using the higher
access credentials.
Any thoughts? Thanks,
| |
| David Wang 2007-05-18, 7:20 am |
| On May 17, 1:33 pm, NathanC <Nath...@discussions.microsoft.com> wrote:
> I have a web project that is running this code: (generalized for security)
>
> refWMIService = GetObject("winmgmts:\\computer_name")
> colcomputers = refWMIService.ExecQuery("Select * From
> Win32_OperatingSystem")
> For Each refComputer In colcomputers
> If refComputer.reboot() = 0 Then
> Response.Write("reboot")
> Else
> Response.Write("nope")
> End If
>
> This is WMI functionality and on the remote computer - the ASPNET account
> obviously does not have permission to do this - and I can see Failed Audit
> events in the computer security log. So, I have added this bit of code to the
> web.config file for the project:
>
> <identity impersonate="true" userName="subdomain.domain.com\username"
> password="password" />
>
> When I rebuild the project and even restart IIS - the call is still hitting
> the remote computer as ASPNET account - although my understanding is that
> because of the impersonate web.config tag - it should send using the higher
> access credentials.
>
> Any thoughts? Thanks,
I do not believe WMI security model works that way.
Just because you tell ASP.Net to impersonate a user identity to
execute WMI code, it does not mean that WMI flows the thread-
impersonated user identity across to the other machine. I believe with
WMI you have to give the username/password in code to the WMI
connection itself.
See how to do this with with the IIS6 Administration scripts like
iisback.vbs which shows how to make remote WMI calls using a specified
user credential.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
|
|
|
|
|