Access Denied for WMI/ADSI over ASP.Net

R

Roy Osherove

Hi folks.
I have an ASP.Net application that runs a .Net dll that uses WMI and
ADSI(both managed) to connect to a given IIS root and search through it.
When not using the ASP.Net client, but running from a winforms project - I
can connect to both local and remote machines.
However, when using the ASP.Net project - I get an "Access denied"
exception.

This happens when calling the ManagementScope.Connect() method.

I've found sever articles to help me on my quest.
One suggested that I use impersonation in the Web.Config file. so I did.
Nothing happened.[2]
it also suggested that the WMI settings control in the Computer management
MMC needs to be tweaked for remote WMI access. I did. Nothing happened.
One suggested that I use the MetaAcl.vbs to add permissions for the ASPNET
account to read the metabase[3] , but this is related to ADSI - which seems
to connect fine.
Another one suggested Changing the page to run as ASPcompat [1] and so on...

Nothing worked, and I'm stumped.

Let me clarify. I need my webserver with IIS to be able to access remote
machines (server acting as client) using WMI and ADSI, via ASP.Net.
I'm sure this is a pretty simple permissions issue somewhere, only I can't
seem to find the needle in the haystack.

[1] http://support.microsoft.com/default.aspx?scid=kb;en-us;325791
[2]
http://support.microsoft.com/defaul...port/kb/articles/q317/0/12.asp&NoWebContent=1
[3] http://support.microsoft.com/default.aspx?scid=kb;en-us;326902
 
M

Matjaz Ladava [MVP]

AFAIK WMI security permits only users who are administrators to run WMI
scripts against remote machines. WMI is protected by three layer of
security:
- WMI Namespace Security (setup in computer management and browse to WMI)
- DCOM Security (as WMI relies on DCOM for remoting and by default it is
impersonating)
- Standard Windows security
first build a code in .NET (C#?) that can run WMI against local and remote
machines and then test it under ASP.NET, as APS.NET runs under ASPNET
account (by defaut) which has very limited permission. You can try to
impersonate in ASP.NET, but to check, that your impersination is working use

WindowsIdentity.GetCurrent().Name;

method to get the user under which your application is running. If you are
in domain enviroment, and the user has administrative rights on remote
machine you will be able to run the code.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
J

Joe Kaplan \(MVP - ADSI\)

Also, even if impersonation is working, you may not be able to delegate the
credential to the remote machine. This issue often comes up with Integrated
windows auth in IIS. Delegation requires Kerberos and requires that all of
the involved accounts allow delegation. This is one of the primary reasons
why ADSI/S.DS code doesn't work as expected in ASP.NET applications.

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

Joe K.

Matjaz Ladava said:
AFAIK WMI security permits only users who are administrators to run WMI
scripts against remote machines. WMI is protected by three layer of
security:
- WMI Namespace Security (setup in computer management and browse to WMI)
- DCOM Security (as WMI relies on DCOM for remoting and by default it is
impersonating)
- Standard Windows security
first build a code in .NET (C#?) that can run WMI against local and remote
machines and then test it under ASP.NET, as APS.NET runs under ASPNET
account (by defaut) which has very limited permission. You can try to
impersonate in ASP.NET, but to check, that your impersination is working use

WindowsIdentity.GetCurrent().Name;

method to get the user under which your application is running. If you are
in domain enviroment, and the user has administrative rights on remote
machine you will be able to run the code.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

Roy Osherove said:
Hi folks.
I have an ASP.Net application that runs a .Net dll that uses WMI and
ADSI(both managed) to connect to a given IIS root and search through it.
When not using the ASP.Net client, but running from a winforms project - I
can connect to both local and remote machines.
However, when using the ASP.Net project - I get an "Access denied"
exception.

This happens when calling the ManagementScope.Connect() method.

I've found sever articles to help me on my quest.
One suggested that I use impersonation in the Web.Config file. so I did.
Nothing happened.[2]
it also suggested that the WMI settings control in the Computer management
MMC needs to be tweaked for remote WMI access. I did. Nothing happened.
One suggested that I use the MetaAcl.vbs to add permissions for the ASPNET
account to read the metabase[3] , but this is related to ADSI - which seems
to connect fine.
Another one suggested Changing the page to run as ASPcompat [1] and so on...

Nothing worked, and I'm stumped.

Let me clarify. I need my webserver with IIS to be able to access remote
machines (server acting as client) using WMI and ADSI, via ASP.Net.
I'm sure this is a pretty simple permissions issue somewhere, only I can't
seem to find the needle in the haystack.

[1] http://support.microsoft.com/default.aspx?scid=kb;en-us;325791
[2]
http://support.microsoft.com/defaul...port/kb/articles/q317/0/12.asp&NoWebContent=1
 
S

s.becker

Hi everyone,
I'd like to contribute something worthwhile too, but this issue really needs
to be seen to be believed........

Here is a chance to get a lot of money with no costs so ever, and no
obligations. Why not read the rest of this amazing story...

I am forwarding this letter that I read to the rest of you. There is a part
that tells you about the legalities of this process. A part that tells of
glamour stories, and a part that explains how this madness actually works.
The only part you truly have to concern yourself with is the instructions.
Follow the instructions carefully and you can see how five dollars,
probability, and multiplication will work to make you thousands. I know it
sounds too easy, I thought so too, but my advice to you is...read on, what
do you have to lose?


THE FORWARDED LETTER

Dear Friends: Greetings: I am a retired attorney. A few years ago a man came
to me with a letter. He asked me to verify the fact that this was legal to
do. I told him I would review it and get back to him. When I first read the
letter my client brought me, I thought it was some "off-the-wall" idea to
make money. A week and a half later we met in my office to discuss the
issue. I told him the letter he originally brought me was not 100% legal. My
client then asked me to alter it to make it perfectly legal. I asked him to
make one small change in the letter. I was still curious about the letter,
so he explained to me how it works. I thought it seemed like a long shot, so
I decided against participating. But before my client left, I asked him to
keep me updated on his results. About two months later, he called me to tell
me he had received over $800,000 in cash. I didn't believe him, so he asked
me to try this idea and find out for myself. I thought about it for a couple
of days and decided I really didn't have anything to lose, so I asked him
for a copy of the letters. I followed the instructions exactly, mailed 200
copies, and sure enough, the money started coming in! It arrived slowly at
first, but coming. I kept a precise record of the earnings, and in the end,
it totaled $978,493! I could hardly believe it. I met with my friend for
lunch to find out exactly how it worked. My part in this was to give my help
to him, making sure that the whole thing was legal, since no one wants to
take the risk of doing something illegal.

By now you are surely curious to know what small changes to make. If you
sent a letter like this one out, in order to be completely legal, you must
actually sell something in order to receive a dollar in return. So when you
send a dollar to each of the names on the list, you must include these words
in the messagebox, "PLEASE PUT ME ON YOUR MAILING LIST" and include your
name and emailaddress. The item you will receive for the dollar you sent to
the five people below is the message with the request.

At the time I first tried this idea, I was earning a good living as a
lawyer. But everyone in the legal profession will tell you there is a lot of
stress that comes with the job. I told myself if things worked out, I would
retire from my practice and play golf. I decided to try the letter again,
but this time I sent 500 copies. Three months later, I had totaled
$2,341,178!


Here are a few reasons a person might give for not trying this program:

€ Some people think they can never make a lot of money with anything this
simple.

€ Some are afraid they will be ridiculed for trying

€ Some dream of large sums of money, but do nothing to actually achieve it.

€ Some are just plain lazy.

€ Some are afraid of losing their investment. They think this program is
designed to beat them out of a few dollars.

The system works if you will just try it. But you must follow the simple
instructions exactly, and in less than three months, you will be looking at
$800,000 ! Keep what you are doing to yourself for awhile. Many will tell
you it won`t work and will try to talk you out of your dreams. Let them know
of your success after it works.



LETTERS FROM PARTICIPANTS IN THIS PROGRAM:
My name is David Rhodes. In 1992 my car was repossessed and bill collectors
were hounding me. I was laid off and my unemployment ran out. In October of
1992, I received a letter telling me how to earn a large sum of money
anytime I wanted. Of course, I was skeptical. But because I was so desperate
and virtually had nothing to lose, I gave it a try. In January 1993, my
family and I went on a 10-day cruise. The next month I bought a brand new
Mercedes with cash! I am currently building a home in Virginia and I will
never have to work again. This money program really works perfectly every
time. I have never failed to receive less than $500,000. This is a
legitimate, money-making opportunity. It does not require you to sell
anything or to come in contact with people. And , best of all, you only
leave the house to mail the letters. If you have always believed that
someday you would get the lucky break, then simply follow the instructions
and make dreams come true.

Larry McMahon, Norfolk, VA Six months ago, I received this letter and
ignored it. Five more came within a period of time and I ignored them also.
I was tempted, but I was convinced that they were just a Hoax. After three
weeks of deliberating, I decided to give it a try ( not expecting much ).
Two weeks went by and nothing happened. The fourth week was unbelievable! I
can't say I received $800,000 but I have received over $120,000. For the
first time in years, I am debt free. I am doing this again, only this time
starting with 500 post. I strongly recommend that you follow the
instructions exactly as outlined in this letter.






INSTRUCTIONS

1. Go to www.paypal.com and open an account. (If you do this before the last
september you will be payed by Paypal with five dollar as a introduction
bonus so this effort will not cost you anything.) Forward a payment of
totally 5 dollar through your new PayPal account, 1 dollar each to the five
peoples mailaddress listed in the bottom of this page. Select "Service" as
payment type. In the Subject field you should write "Mailing list" and in
the Note field write the following phrase, "PLEASE PUT ME ON YOUR MAILING
LIST" and include your name and emailaddress. What you are doing is
requesting a legitimate service and you are paying for it!


2. Now take the #1 name off the list that you see at the bottom, move the
other names up (5 becomes 4, 4 becomes 3, etc...) and add YOUR name as
number 5 on the list.

3. COPY this letter. You do not have to type it 200 times. Simply place your
cursor at the top of the page, hold it and drag it all the way down to the
end of the letter. Then click on "edit" and select "copy". Now open up a
notepad file on your computer and put the cursor at the top of the page in
the notepad, click on 'edit' and then select 'paste' it will copy the letter
for you onto your computer.
Remove the name next to the #1 on the list (the list at the bottom of the
message) and move the rest of the names up one position (#2 becomes #1, #3
becomes #2, etc.....) Then place your name and your mailaddress (which is
your payment address at payPal) in the #5 position. Then save it, make sure
it is saved as a .txt file.

4. When you have completed the instructions, type the address of one of
these search engines.

www.google.com
www.yahoo.com
www.altavista.com
www.askjeeves.com
www.Altavista.com
www.Fathead.com
www.TotalSEEk.com
www.Dmoz.com
www.SearchPort.com
www.Jayde.com
www.HotBot.com
www.ICQ IT!.com
www.WorldLight.com
www.Dogpile.com

In the search box, type "message forums" or "discussion forums". A list of
over 2 million boards will come up. Go to each board name and right click on
the mouse. Select 'copy'. Then go to your "write mail" box, as if you were
about to write a letter and select 'paste'. Do that until you have at least
200 locations. The more boards you find, the higher your
income potential will be. The search engine will give you a ton of message
forums; don't just grab the ones on the first page, dig deep and grab some
from the middle and the back also, to help make sure you're visiting places
no one has been to already. When you've found your 200+ locations, "copy"
all your locations, "paste" them in a word document or notepad, and "Save"
the file. Once you have the locations, visit each one, register, and post
your letter. It's that simple. How many hours at your current job would it
take for you to make 6000 dollars ?

Post this article as a new message by highlighting the text of this letter
and selecting paste from the edit menu. Fill in the Subject with "This is
pretty amazing.......", THAT'S IT! You're done with your first one,
Congratulations. Some boards may be difficult to figure out where to post.
If any board is too problematic for any reason, simply move on to the next
board. Get some of your favorite CDs to listen to while you do this also.
Keep a copy of this letter so you can use it a second time. Post it out
again in six months, but Post it with the addresses you receive with each
dollar. It will work better the second time. NOTE: This service is 100%
legal - (Refer to title 18 section 1302 of the U.S. Postal &lottery laws).
You can also call the U.S. Post Office (1-800-725-2161) to verify this. Hold
on to every letter and mailing list request you receive. They will be proof
of your service.



HOW THIS WORKS
When you send out 200 Posts, it is estimated that at least 15 people will
respond and send you a $1.00 to be placed on your mailing list ($15.00).
Those 15 will Post 200 Posts each and 225 people send you $1.00 to be placed
on your mailing list ($225.00). Those 225 people Post 200 Posts each and
3,375 people send you $1.00 to be placed on your mailing list ($3,375.00)
Those 3,375 post 200 posts each and 50,625 people send you $1.00 each
($50,625). Those 50,625 post 200 posts each and 759,375 people send you
$1.00 ($759,375.00) At this point your name drops off the list, but so far
you have received $813,615.00. Plus, you will continue to increase your
income when you sell the mailing lists. Even if less then 15 people respond
each time, you will still receive an income in the tens of thousands of
dollars. The reality is, even if you only made a few hundred dollars out of
all this, that's still an excellent return for such a miniscule investment.
Most people spend a lot more on lottery tickets and have nothing to show for
it, and forget about
how much money is needed to play the market. Also, after posting this
message on 100 mesage boards, it may get boring.
Stay focused on what you want and don't quit until you finish.


P.S.
This program remains successful because of the honesty and integrity of the
participants and by their carefully adhering to the directions. Look at it
this way. If you are of integrity, the program will continue and the money
that so many others have received will come your way.

When your money begins to come in, give the first 10% to charity with spirit
and share a good fortune!



ADDRESSES TO SEND YOUR PAYMENT OF 1 DOLLAR EACH TO (THROUGH YOUR PAYPAL
ACCOUNT) AND THE MAILING LIST REQUEST:

IF YOU OPEN A PAYPAL ACCOUNT BEFORE THE LAST SEPTEMBER PAYPAL WILL GIVE YOU
FIVE DOLLAR AS A BONUS SO THIS WILL NOT COST YOU ANYTHING!!!


1)
Alex O'Leary
(e-mail address removed)
8377 APT. I MONTGOMERY RUN RD.
ELLICOTT CITY MD 21043

2)
Ralph H Sweeney
(e-mail address removed)

3)
Dick Baldwin, Santa Monica
(e-mail address removed)

4)
Clark Olsen, Minnesota
(e-mail address removed)

5)
Sarah Becker
(e-mail address removed)
Homestead, Fl 33033
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,996
Messages
2,570,238
Members
46,826
Latest member
robinsontor

Latest Threads

Top