WMI security via ASP.NET app

[Pete]

Hello,

I have an ASP.NET application which is querying the status of a Win32
service using WMI via ManagementObjectSearcher object. The query is
"select state from win32_service where name='MyService'". My website
is impersonating the IIS anonymous user, using a domain user. I have
given my user the appropriate WMI security rights, and my code works
fine when run from a cmd prompt running as my domain user. However,
when I run via my ASP.NET app I get:

[ManagementException: Generic failure ]

System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
errorCode) +167
System.Management.ManagementObjectEnumerator.MoveNext() +403

It also works fine if I add my domain user to the local Administrators
group.
I guess there is something I'm missing with regard to the ASP.NET
security, can anyone point me in the right direction? Thanks for your
help.

The code is below.

ConnectionOptions co = new ConnectionOptions();
co.Authentication = AuthenticationLevel.Packet;

ManagementScope oScope = new ManagementScope("\\\\" + server +
"\\root\\cimv2", co);
WqlObjectQuery oQuery = new WqlObjectQuery(QueryString);
ManagementObjectSearcher search = new
ManagementObjectSearcher(oScope,oQuery);

foreach(ManagementObject manobj in search.Get())
{
//do stuff
}

 

[Dominick Baier [DevelopMentor]]

is the WMI query local?

maybe you wanna use this troubleshooting page to figure out under which security
context you are really executing:

http://www.leastprivilege.com/ShowContextsAnotherUpdateIAdmitIt.aspx

 

[Pete]

Thanks for your reply.

The WMI query is local. The server in the code snippet is the local
server. I had planned on using it cross-server, but first things first,
I want to get it working locally.

I like your troubleshooting page. Unfortunately, (something I really
should have mentioned in my original post) I am using ASP.NET 1.1. So
I've converted your page to 1.1, which mainly involved chopping
everything except the identity section, but what I see is what I would
expect i.e. the thread identity is myuser.

What I have learned is that the problem persists whether I continue
using anonymous access, or change to use integrated windows security.

Cheers,
Pete

 

[Dominick Baier [DevelopMentor]]

are you saying that running the code under "myuser" from the console works
- but not under "myuser" from asp.net?

 

[Pete]

Yep, exactly that.

At the moment, I have a workaround where I configure a component to run
under Component Services, using "myuser" as the identity on the
package, and calling this from my ASP.NET app. This works fine, but
means additional deployment effort that I shouldn't really have to do.

 

[Dominick Baier [DevelopMentor]]

Ok - you are impersonating "myuser" - right?

in that case - AFAIK - you have to specify the impersonation level when connecting
to WMI

ConnectionOptions options =
new ConnectionOptions();
options.Impersonation =
System.Management.ImpersonationLevel.Impersonate;

give that a try.

 

[Pete]

Thanks for your reply, Dominick.

I've tried explicitly setting the ConnectionOptions.Impersonation
property to Impersonate, but to no avail. Impersonate is the default
level anyway, according to the documentation. If I change to a lower
level such as ImpersonationLevel.Identity, then I get an "Access
Denied" exception thrown. I've also tried playing around with the
other ConnectionOptions properties - changing the timeout,
EnablingPrivileges. Nothing helps, I get the same error - except when
I tried to hardcode the username and password properties then I got
"User credentails cannot be used for local connections".

I also tried running under ASP.NET2.0 to see if it made any difference.
It didn't. I have to admit I'm well and truly stumped!