身份验证/模拟的问题 [英] Problems with authentication/impersonation
问题描述
嗨
我在测试补丁投放时写的应用程序出现问题。我用
联系远程PC,然后运行一个安装在
服务器上的补丁。如果我使用psexec就可以正常工作了,我知道它不是
NTFS /共享级别的安全性错误 - 每个人都可以读取这些内容
对于调度程序或任何其他通常不是网络用户来说,通常就足够了。
我在远程会话中检查了我的凭据并且它说它是以我运行的
,但看起来我丢失了我的网络身份。
check.cmd是基本上只是dir \\server\share>> c:\log.log 2>& 1",
但是当远程调用时会导致访问被拒绝在日志中。
如果我将其更改为dir c:\ ...,它可以正常工作。记住,我是
在远程PC上调用该批处理文件。我也是一个域名管理员,通过
的方式,并且为了更好的衡量,我还将自己添加到远程测试PC上的管理员
组。 br />
这里是代码:
Dim options = New ConnectionOptions
options.EnablePrivileges = True
options.Authentication = AuthenticationLevel.Call
options.Impersonation = ImpersonationLevel.Impersonate
Dim scope = New ManagementScope(" \ \" + pc +" \root \ cimv2",options)
scope.Connect()
Dim processClass = New ManagementClass( Win32_Process)
processClass.Scope = scope
Dim inParams = processClass.GetMethodParameters(" Create")
Dim startup = New ManagementClass(" WIN32_ProcessStartup")
startup.Scope = scope
inParams(" CommandLine")=" cmd /cc:\check.cmd"
inParams(" ProcessStartupInformation")= startup
Dim outParams = processClass.InvokeMethod(" Create",inParams,Nothing)
Debug.WriteLine(" ; CreateProcess返回: +
outParams(" ReturnValue")。ToString())
任何对此有帮助的人都将获得我不朽的感激和尊重
(和一百万英镑!)*
干杯
AW
*奖品优惠钱不会被尊重:)
Hi
Am having a problem with an app I wrote to test patch delivery. I
contact a remote PC, and get it to run a patch which is installed on a
server. It works fine if I use psexec for example and I know it''s not
NTFS/share-level security at fault - it''s readable to everyone which
is usually enough for scheduler or any other usually-not-network-user
to reach it.
I''ve checked my credentials in my remote session and it says it''s
running as "me", but it appears I''ve lost my network identity.
check.cmd is just basically "dir \\server\share >> c:\log.log 2>&1",
but when called remotely it results in "Access is denied" in the log.
If I change it to "dir c:\ ...", it works fine though. Remember, I''m
calling that batch file on the remote PC. I''m also a domain admin by
the way, and for good measure I''ve also added myself to the admins
group on my remote test pc.
Here''s the code:
Dim options = New ConnectionOptions
options.EnablePrivileges = True
options.Authentication = AuthenticationLevel.Call
options.Impersonation = ImpersonationLevel.Impersonate
Dim scope = New ManagementScope("\\" + pc + "\root\cimv2", options)
scope.Connect()
Dim processClass = New ManagementClass("Win32_Process")
processClass.Scope = scope
Dim inParams = processClass.GetMethodParameters("Create")
Dim startup = New ManagementClass("WIN32_ProcessStartup")
startup.Scope = scope
inParams("CommandLine") = "cmd /c c:\check.cmd"
inParams("ProcessStartupInformation") = startup
Dim outParams = processClass.InvokeMethod("Create", inParams, Nothing)
Debug.WriteLine("CreateProcess returned :" +
outParams("ReturnValue").ToString())
Any that can help with this will earn my undying gratitude and respect
(and a million pounds!)*
Cheers
AW
* offer of prize money will not be honoured :)
推荐答案
每个默认域管理员都无权访问成员服务器上的WMI。
您可以在远程服务器上检查并启用此运行的wmimgmt.msc(或者在本地计算机上运行它并连接到远程服务器的
)。
右键单击WMI在控件属性中控制和选择属性
对话框单击安全性对话框。选项卡并将域管理员帐户添加到ACL
列表中,确保至少执行,读取和写入和远程启用选择了
。
Willy。
" andrew_webby at hotmail" <一个********** @ hotmail.com>在消息中写道
新闻:f4 ************************ @ posting.google.com ...
Per default domain admins have no rights to access WMI on member servers.
You can check and enable this running wmimgmt.msc on the remote server (or
running it on a local machine and connecting to a remote server).
Right click on WMI Control and select properties, in the control properties
dialog click the "security" tab and add the domain admin account to the ACL
list, make sure at least "execute", "read and write" and "remote enable" are
selected.
Willy.
"andrew_webby at hotmail" <an**********@hotmail.com> wrote in message
news:f4************************@posting.google.com ...
嗨
我写的测试补丁投放的应用程序有问题。我联系远程PC,让它运行安装在服务器上的补丁。如果我使用psexec,它可以正常工作,我知道它不是错误的NTFS /共享级别的安全性 - 每个人都可以读取它对于调度程序或任何其他人来说通常是足够的通常不是网络用户来接触它。
我已经在我的远程会话中检查了我的凭据,它说它是以我的身份运行;但是看起来我已经丢失了我的网络身份。
check.cmd基本上就是dir \\server\share>> c:\log.log 2>& 1",
但是当远程调用时会导致访问被拒绝。在日志中。
如果我将其更改为dir c:\ ...,它可以正常工作。记住,我是在远程PC上调用该批处理文件。我也是一个域名管理员的方式,并且为了好的衡量,我还把自己添加到我的远程测试电脑上的管理员组。
这里代码是:
Dim options = New ConnectionOptions
options.EnablePrivileges = True
options.Authentication = AuthenticationLevel.Call
options.Impersonation = ImpersonationLevel.Impersonate
Dim scope = New ManagementScope(" \\" + pc +" \root \cimv2",options)
scope.Connect()
Dim processClass = New ManagementClass(" Win32_Process")
processClass.Scope = scope
Dim inParams = processClass.GetMethodParameters(" Create")
Dim startup = New ManagementClass(" WIN32_ProcessStartup")
startup.Scope = scope
inParams(" CommandLine")=" cmd /cc:\check.cmd"
inParams(" ProcessStartupInformation")= startup
Dim outParams = process Class.InvokeMethod(" Create",inParams,Nothing)
Debug.WriteLine(" CreateProcess returns:" +
outParams(" ReturnValue")。ToString())
任何对此有帮助的人都会得到我不朽的感激和尊重
(和一百万英镑!)*
干杯
AW
*奖金优惠将不予兑现:)
Hi
Am having a problem with an app I wrote to test patch delivery. I
contact a remote PC, and get it to run a patch which is installed on a
server. It works fine if I use psexec for example and I know it''s not
NTFS/share-level security at fault - it''s readable to everyone which
is usually enough for scheduler or any other usually-not-network-user
to reach it.
I''ve checked my credentials in my remote session and it says it''s
running as "me", but it appears I''ve lost my network identity.
check.cmd is just basically "dir \\server\share >> c:\log.log 2>&1",
but when called remotely it results in "Access is denied" in the log.
If I change it to "dir c:\ ...", it works fine though. Remember, I''m
calling that batch file on the remote PC. I''m also a domain admin by
the way, and for good measure I''ve also added myself to the admins
group on my remote test pc.
Here''s the code:
Dim options = New ConnectionOptions
options.EnablePrivileges = True
options.Authentication = AuthenticationLevel.Call
options.Impersonation = ImpersonationLevel.Impersonate
Dim scope = New ManagementScope("\\" + pc + "\root\cimv2", options)
scope.Connect()
Dim processClass = New ManagementClass("Win32_Process")
processClass.Scope = scope
Dim inParams = processClass.GetMethodParameters("Create")
Dim startup = New ManagementClass("WIN32_ProcessStartup")
startup.Scope = scope
inParams("CommandLine") = "cmd /c c:\check.cmd"
inParams("ProcessStartupInformation") = startup
Dim outParams = processClass.InvokeMethod("Create", inParams, Nothing)
Debug.WriteLine("CreateProcess returned :" +
outParams("ReturnValue").ToString())
Any that can help with this will earn my undying gratitude and respect
(and a million pounds!)*
Cheers
AW
* offer of prize money will not be honoured :)
嗨威利
感谢您的建议。但是,我尝试在你建议的地方添加域管理员,它没有帮助。
虽然我是域管理员(因此默认情况下)在成员PC上的本地
''管理员'组中 - 已经有你建议的
权限),我实际上是在两个不同的
配置。一个来自WinXP - > WinXP和Win2k3中的一个 - > WinXP。
我的问题似乎不是访问/创建/ WMI的任何东西 - 我可以创建远程进程没有问题。只是当我想要远程
进程来访问我的麻烦开始的网络时。
任何其他建议,因为我正在运行这里的头发很短......;)
AW
" Willy Denoyette [MVP]" <无线************* @ pandora.be>在消息中写道
新闻:OV ************** @ TK2MSFTNGP11.phx.gbl ...
Hi Willy
Thanks for the suggestions. However, I tried adding Domain Admins in where
you suggest and it didn''t help.
Although I am a domain admin (and therefore by default in the local
''Administrators'' group on the member PCs - which already have the
permissions you suggest), I am actually trying this in two different
configurations. One from WinXP -> WinXP and one from Win2k3 -> WinXP.
My problem doesn''t appear to be the accessing/creation/whatever of WMI - I
can create the remote process no problem. It''s just when I want that remote
process to access the network that my troubles begin.
Any other suggestions as I''m running a little short on hair here... ;)
AW
"Willy Denoyette [MVP]" <wi*************@pandora.be> wrote in message
news:OV**************@TK2MSFTNGP11.phx.gbl...
每个默认域名管理员都有无权访问成员服务器上的WMI。
您可以在远程服务器上检查并启用此运行的wmimgmt.msc(或者在本地计算机上运行它并连接到远程服务器)。
右键单击WMI Control并选择属性,在控制
属性对话框中单击安全性按钮。选项卡并将域管理员帐户添加到
ACL列表中,确保至少执行,读取和写入和远程启用选择
。
Willy。
Per default domain admins have no rights to access WMI on member servers.
You can check and enable this running wmimgmt.msc on the remote server (or
running it on a local machine and connecting to a remote server).
Right click on WMI Control and select properties, in the control properties dialog click the "security" tab and add the domain admin account to the ACL list, make sure at least "execute", "read and write" and "remote enable" are selected.
Willy.
" ms" < andrew_webby @的Hotmail>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP09.phx.gbl ...
"ms" <andrew_webby@hotmail> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
嗨威利
感谢您的建议。但是,我尝试在你建议的地方添加Domain Admins并且它没有帮助。
Hi Willy
Thanks for the suggestions. However, I tried adding Domain Admins in where
you suggest and it didn''t help.
嗨安德鲁,
对不起,我们应该仔细阅读你的帖子。
你遇到的问题是使用NTLM
身份验证时出现的着名多跳问题。
远程进程模仿我。 (获得的令牌是
模拟令牌 - 此过程未获得用户/密码),
表示您没有网络凭据和匿名(我不确定这将是用于访问共享网络资源的
。用于访问共享网络资源。
您可以尝试的一件事是强制Kerberos身份验证,并设置
ImpersonationLevel.Delegate(所以你必须设置
ConnectionOption.Authority =" Kerberos:< principalname>)。
但是,即使这不能保证工作,因为WMI可以自由拒绝Kerberos
并回退到NTLM身份验证。
我建议您启用审计远程共享,这样你可以检查
哪个帐号用于访问共享?
Willy。
Hi Andrew,
Sorry, should have read your post more carefully.
The problem you have is the famous multiple hop issue when using NTLM
authentication.
The remote process is impersonating "me" (the token obtained is a
impersonation token - no user/password was obtained by this process), that
means you don''t have network credentials, and anonymous (I''m not sure this
is the case on W2K3) will be used to access the shared network resource.
One thing you could try is to force Kerberos authentication, and set
ImpersonationLevel.Delegate (so you will have to set
ConnectionOption.Authority = "Kerberos:<principalname>).
But, even that is not guaranteed to work, as WMI is free to reject Kerberos
and fall back to NTLM authentication.
I suggest you enabled auditing on the remote share, that way you can check
which account is used to access the share?
Willy.
这篇关于身份验证/模拟的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
