stackoom
  简体   繁体   中英

Access is Denied when connecting to remote computer using WMI from app under IIS

 原文  2016-01-12 12:53:24       c#/ asp.net/ iis/ wmi/ iis-express

Question

I am getting Access is denied exception when I try to connect to a remote server using WMI through IIS (10.0). This same code works fine through Visual Studio 2015 debug (IIS Express). Obviously this is a permissions issue, however I cannot find anything definitive or even suggestive on the best way to approach this.

In my example, the client simply makes a POST call to the web service with credentials in the payload. Then the service attempts to make a WMI connection getting the exception. The remote server is not in a domain, and the credentials have been verified to have access to the given namespaces.

I'm running IIS 10, but have duplicated this with as low as IIS 7.

Any help is appreciated! 

public ManagementScope Connect(Credentials creds, string path)
    {
        _creds = creds;
        _path = path;

        var conOpt = new ConnectionOptions
        {
            Impersonation = ImpersonationLevel.Impersonate,
            Authentication = AuthenticationLevel.PacketPrivacy,
            EnablePrivileges = true,
            Username = _creds.Username,
            Password = _creds.Password,
            //Authority = $"ntlmdomain:{_creds.Domain}"
        };
        // virtualization\v2
        _scope = new ManagementScope($@"\\{_creds.Server}\ROOT\{path}", conOpt);
        _scope.Connect();

        return _scope;
    }

2 answers

solution1
 1 ACCPTED  2016-01-12 13:00:27

I always recommend to avoid WMI calls inside an application on IIS, due to the reason of possible security lacks.

I recommend to create a local windows service as command relay. So you would call your local service and this service would execute the remote WMI call. The windows service then needs permission to execute the WMI command at the remote machine and you do not have to change the permission of your web application environment.

Just as information: on other platforms like Azure you are not allowed to change the security settings of your WebApp. Also the service / relay way would solve that requirement.

solution2
 0  2016-01-12 13:24:13

A common misunderstanding is that IIS Express is IIS. No.

IIS Express executes the code under your account. That means if your account has necessary permissions then the code runs fine.

However, IIS is purely a hosting service and your code runs under the worker process identity aka application pool identity. Review your IIS settings to understand what I mean.

Only if you change that identity to another suitable one or grant the account necessary permissions, the code can work after.

Note that a web app should not perform such tasks that requires lots of extra permissions and then they can be compromised and lead to serious security issues. That's why the other answer suggests you move the WMI calls to a dedicate Windows service.

I had a blog post a few months ago,

https://blog.lextudio.com/2015/04/web-application-differences-in-visual-studio-and-iis/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can't access hardware info of remote computer with WMI: Access is denied RPC server is unavailable when connecting to WMI on a remote computer Access Denied for WMI when impersonating user on remote machine How to run program on remote computer via WMI using credentials that are differ from WMI scope Show processes running on remote computer using WMI Connect to remote computer using WMI and C# How to access an IIS Express site on Windows 11 from a remote computer Access denied when using powershell on IIS webserver “Access Denied” when trying to connect to remote IIS server - C# WMI Access denied excptn
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM