EDN Admin
Well-known member
Have designed an in-house web based user management script for our active directory domains. Works wonderfully, except when it comes to issuing remote WMI calls to do little things, like create a folder or share. 
Overview:
- the website itself currently runs on my development machine, either using the VS ASP.NET development server, or IIS7 under Vista. Makes no difference in the end result.
- said development machine is joined to a domain, well call it DOMAINA, which is *not* the domain Im attempting to make changes to (in production this script may need to be hosted on a machine in one domain, but make changes to another)
- the domain controller Im attempting to create the folder on is a virtual machine also running on my development machine. This VM is the sole domain controller for the DEVDOMAIN.TEST domain, and is running Windows Server 2008.
- Pretty straightforward stuff.... the VM and my machine have no problems communicating back and forth for anything else (the main website also does a bunch of things using the System.DirectoryServices namespace, and they all work fine.)
To make it simpler to debug and make changes, I built a small test.aspx file that doesnt do all the extra stuff, just a single attempt to create a folder on the domain controller... heres the bulk of that test script as it stands right now:
System.Text.StringBuilder sb = new System.Text.StringBuilder(); string sAdd = "\\192.168.19.129\ROOT\CIMV2"; ManagementScope oMs = new ManagementScope(sAdd);
oMs.Options.Username = "DEVDOMAIN\devadmin";
oMs.Options.Password = "DevAdminPassword"; oMs.Options.EnablePrivileges = true; oMs.Options.Authentication = AuthenticationLevel.PacketPrivacy; oMs.Options.Impersonation = ImpersonationLevel.Impersonate;
oMs.Connect(); ObjectGetOptions objectGetOptions = new ObjectGetOptions(); ManagementPath managementPath = new ManagementPath("Win32_Process"); ManagementClass processClass = new ManagementClass(oMs, managementPath, objectGetOptions); ManagementBaseObject inParams = processClass.GetMethodParameters("Create"); inParams["CommandLine"] = @"cmd.exe /c md " + sLocation; ManagementBaseObject outParams = processClass.InvokeMethod("Create", inParams, null); outParams.Dispose(); inParams.Dispose();
Currently when I run the test, it blows up at the oMs.Connect(), with a A security package specific error occurred. (Exception from HRESULT: 0x80070721) error.
I have tried every combination I can locate in msdn for changing Options.Authentication and Options.Impersonation, and even tried specifying the Options.Authority, using both "ntlmdomain:" and "kerberos:"... no matter what, I cant make this script work dependably.
Dependably being the problem. If I try it, and it fails, and I say, play with the authority, impersonation, or authentication options, and try it again, it *will* work, but then if I reboot the server and try again, it fails once more with the package specific error. and Ill change the code a couple of times (trying each time), and "bang", it will suddenly work fine.. until I reboot the server again. Its maddening.
I have gone into the server, and specifically given devadmin full rights in both dcomcnfg and wmimgmt.msc, Ive tried turning UAC off on my development machine (I noticed that a couple of WMI debugging tools I found online would cause a UAC prompt to pop up, so I thought maybe it was some strange "UAC interferes with outbound WMI" or something).
Im stumped. Any ideas?
View the full article
Overview:
- the website itself currently runs on my development machine, either using the VS ASP.NET development server, or IIS7 under Vista. Makes no difference in the end result.
- said development machine is joined to a domain, well call it DOMAINA, which is *not* the domain Im attempting to make changes to (in production this script may need to be hosted on a machine in one domain, but make changes to another)
- the domain controller Im attempting to create the folder on is a virtual machine also running on my development machine. This VM is the sole domain controller for the DEVDOMAIN.TEST domain, and is running Windows Server 2008.
- Pretty straightforward stuff.... the VM and my machine have no problems communicating back and forth for anything else (the main website also does a bunch of things using the System.DirectoryServices namespace, and they all work fine.)
To make it simpler to debug and make changes, I built a small test.aspx file that doesnt do all the extra stuff, just a single attempt to create a folder on the domain controller... heres the bulk of that test script as it stands right now:
System.Text.StringBuilder sb = new System.Text.StringBuilder(); string sAdd = "\\192.168.19.129\ROOT\CIMV2"; ManagementScope oMs = new ManagementScope(sAdd);
oMs.Options.Username = "DEVDOMAIN\devadmin";
oMs.Options.Password = "DevAdminPassword"; oMs.Options.EnablePrivileges = true; oMs.Options.Authentication = AuthenticationLevel.PacketPrivacy; oMs.Options.Impersonation = ImpersonationLevel.Impersonate;
oMs.Connect(); ObjectGetOptions objectGetOptions = new ObjectGetOptions(); ManagementPath managementPath = new ManagementPath("Win32_Process"); ManagementClass processClass = new ManagementClass(oMs, managementPath, objectGetOptions); ManagementBaseObject inParams = processClass.GetMethodParameters("Create"); inParams["CommandLine"] = @"cmd.exe /c md " + sLocation; ManagementBaseObject outParams = processClass.InvokeMethod("Create", inParams, null); outParams.Dispose(); inParams.Dispose();
Currently when I run the test, it blows up at the oMs.Connect(), with a A security package specific error occurred. (Exception from HRESULT: 0x80070721) error.
I have tried every combination I can locate in msdn for changing Options.Authentication and Options.Impersonation, and even tried specifying the Options.Authority, using both "ntlmdomain:" and "kerberos:"... no matter what, I cant make this script work dependably.
Dependably being the problem. If I try it, and it fails, and I say, play with the authority, impersonation, or authentication options, and try it again, it *will* work, but then if I reboot the server and try again, it fails once more with the package specific error.
and Ill change the code a couple of times (trying each time), and "bang", it will suddenly work fine.. until I reboot the server again. Its maddening. I have gone into the server, and specifically given devadmin full rights in both dcomcnfg and wmimgmt.msc, Ive tried turning UAC off on my development machine (I noticed that a couple of WMI debugging tools I found online would cause a UAC prompt to pop up, so I thought maybe it was some strange "UAC interferes with outbound WMI" or something).
Im stumped. Any ideas?
View the full article