Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
From: Ivan Brugiolo [MSFT] (ivanbrug_at_online.microsoft.com)
Date: 08/18/04
- Next message: Steven L Umbach: "Re: Group Policy Error"
- Previous message: Steven L Umbach: "Re: Wierd network name showing up in Microsoft windows network"
- In reply to: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Next in thread: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Reply: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 Aug 2004 12:19:15 -0700
I don't have a domain specific knowledge of ADO, but I can answer few other
questions.
If you have a manchine called anthony-devbox,
and that machine has an account in the Directory Serivces,
that the account name is anthony-devbox$.
You can enable auditing for logon events, and,
if you have SNEGO as the authentication package,
and if SNEGO succeeds with Kerberos,
then you should see a logon event for anthony-devbox$.
The concept of network resource is confusing the way it's used down there.
Let's take a step back. Let's discuss the authentication without explicit
credentials.
Distributed authentication in Windows happens via SSPI calls.
You can have different transports (RPC-over-NamedPieps, RPC-over-TCP,
HTTP, SSL, SQL-Tranport-Over-NamedPieps, SQL-Tranport-Over-TCP),
and, each one of them, in order to recreate the identity of the security
subject
over an authentication hop (a hop can be seen as a network boundary,
even if it's not strictly necessary) will do an ICS / ACS conversation
(InitializeSecurityContext / AcceptSecurityContext). After the ICS/ACS
conversation ofver an arbitrary tranport has completed, the remote side
will have authenticated the remote peer, and, it can impersonate that
identity.
The ODBC connection can be configured to use the current-executing-code
secutiry principal, and it can forward that identity across an
authentication hop.
This is normally done by a component loaded by the oledb/odbc driver.
This means that your query is executing as a user account called
anthony-devbox$.
If you have some permission in the database to access tables and/or other
resources,
please configure them to allow anthony-devbox$.
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of any included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message news:eJ5E#HVhEHA.244@TK2MSFTNGP10.phx.gbl... > Hi Roger, > > Thanks! The computer does belong to a domain. Your answer was great but I > still have several specific questions before I can solve this security > problem: > > The problem: > > ComputerA's WMI service (running as LocalSystem) wants to use a System DSN > ODBC connection to one of ComputerB's MS SQL2000 database instances . Both > ComputerA and ComputerB are in the same domain. Currently, the "Open" > (using ADODB) of the ODBC connection fails (BTW but works just fine if you > run as the interactive user). > > What you taught me: > > If a server is in a domain, it actually has its own security principal > called MachineName$ (BTW should the $ be taken literally?). If you want a > service (running as LocalSystem) running on the server to be able to access > "network resources" (in this case, to use ODBC to access a database on > another computer within the domain) then you can modify the "network > resources" Access Control Lists (ACLs...specifically DACLs) by adding the > MachineName$ via Active Directory and giving the LocalSystem account local > priveledges to access these "network resources". > > What I don't understand: > > 1. When a service/process opens an ODBC connection, what are the "network > resources" (AccessCheck'ed) that get performed given that the ODBC > connection is on a different computer (see "The problem" above)? > What "network resources" do these AccessChecks get applied to? My guess > would be: > A. Network access > B. ComputerB > C. The SQL database > 2. What priveledges (using the Local Security Policy?) do I need to give to > the LocalSystem account? > 3. Do I need to do anything to the MachineName$ account in AD other than > modifying the "network resources" ACLs? > > Thanks for your patience and help in this matter, > > Anthony LaMark > eXc Software > > > > So, based on what you said, can I go to AD and give the computer > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:efwntUMhEHA.3944@tk2msftngp13.phx.gbl... > > A computer principal will have no rights beyond itself if not in > > a domain. > > The ODBC configuration dialog you mention is asking for > > an identitiy to use while defining the connection. It is not > > the identity that will be used when the connection is used. > > When the application instances the connection it can provide > > credential to be used if those are for a SQL account. If one > > uses windows integrate security, then the identity the owns > > the process where the connection is established is what is > > used. Either way, a Windows identity or a SQL account, > > that identity needs to have been granted the needed login > > and database permissions in SQL. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Server System: Security) > > MCDBA, MCSE W2k3+W2k+Nt4 > > "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message > > news:OuiLEQGhEHA.2812@tk2msftngp13.phx.gbl... > > > Hi, > > > > > > Thank you for these suggestions: > > > > > > Solution 1 would cause a lot of "development" reworking so for now I > would > > > like to pursue your second solution. > > > > > > The problem I have now is in modifying the ODBC connection. The ODBC > > > configuration dialog allows me to select either: > > > "With Windows NT authentication using the network login ID" or > > > "With SQL Server authentication using a longin ID and password entered > by > > > the user" > > > > > > If I use "With Windows NT authentication using the network login ID", > how > > > can I get the ODBC to use the computers security principal since the > ODBC > > > configuration dialog does not allow me to specify the user? Given that, > > > won't the ODBC connection use the LocalSystem account since that is what > > > WMI > > > is running as [i.e. the original problem? > > > > > > If I use "With SQL Server authentication using a login ID and password > > > entered by the user", how can I (doing the ODBC connection > configuration) > > > and the SQL sys. admin (specifying the computer principal as a valid > user > > > for the database instance) know the password of the computers security > > > principal? > > > > > > Thanks in advance. > > > > > > "Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message > > > news:u4Ohi76gEHA.384@TK2MSFTNGP10.phx.gbl... > > >> WinMmgt was never tested in a different than LocalSystem account, > > >> and, your mileage in running it as a different account can vary. > > >> [BTW, in Win2000-SP4, the ability to run the WinMmgt.exe process > > >> as a standalone DCOM server has been remoevd to avoid these problems]. > > >> > > >> For your problem, there are conceptually 2 solutions: > > >> - make the Event-Provider a standalone provider, > > >> and run that standalone DCOM component in a service (already > suggested). > > >> - enable Mixed-Mode or Windows Authentication in the SQL server, > > >> be sure you have a Kerberos authentication infrastrucutre in place, > > >> and use the machine account (MachineName$) > > >> as the account who performs the query. > > >> > > >> Starting Win2000, the machine accounts are security principals, > > >> and they can be trated as such. > > >> > > >> -- > > >> This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > >> Use of any included script samples are subject to the terms specified > at > > >> http://www.microsoft.com/info/cpyright.htm > > >> > > >> > > >> "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message > > >> news:eT0MZqZgEHA.596@TK2MSFTNGP11.phx.gbl... > > >> > Hi All, > > >> > > > >> > I have a WMI Event Provider (hosted by WinMgmt since it is on Windows > > >> 2000) > > >> > which spawns another process (cmd.exe which invokes cscript.exe [i.e. > a > > >> > JScript]). This spawned process needs to open an ODBC connection to > a > > > SQL > > >> > server on another computer in the network. WMI is currently running > as > > >> > (i.e. "Log on As") LocalSystem (again this is W2K). I tried to > change > > > the > > >> > "Log on As" to a local system account that has the proper priviledges > > >> > to > > >> the > > >> > ODBC connection. I verified that this account had the "Log on as a > > >> service" > > >> > local policy. When I try to start WMI using the new account though > it > > >> fails > > >> > to start. The event log did not offer any clues. Does any one have > > >> > any > > >> > thoughts on: > > >> > 1. What might be making WMI fail to start when it is changed from > > >> > LocalSystem to another user account (do I need to change something in > > >> > dcomcfg?) > > >> > 2. If WMI has any dependency services and if so, do they need to be > > >> changed > > >> > to the other user account as well? > > >> > 3. What security auditing can I enable to troubleshoot this type of > > >> > problem? > > >> > > > >> > Thanks in advance, > > >> > > > >> > Anthony LaMark > > >> > eXc Software > > >> > > > >> > > > >> > > >> > > > > > > > > > > > >
- Next message: Steven L Umbach: "Re: Group Policy Error"
- Previous message: Steven L Umbach: "Re: Wierd network name showing up in Microsoft windows network"
- In reply to: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Next in thread: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Reply: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
