Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/20/04
- Next message: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Previous message: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- In reply to: Roger Abell [MVP]: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Aug 2004 07:56:00 -0700
If a SQL account is used then the only thing needed on the
machine running SQL is SQL login and database grants.
If integrated, then in addition, I have seen the account need
login rights on the machine.
If this is your code, one way to work through this is to get
your WMI event code to use explict SQL account when it
establishs connection to SQL. Once this is working under
those credentials, then changing this to use trusted connection
means you will know that you are debugging only the flow of
this identity running the process to the SQL machine and into
the database - as the use of the SQL internal account established
all else as working.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:efwntUMhEHA.3944@tk2msftngp13.phx.gbl... > A computer principal will have no rights beyond itself if not in > a domain. > The ODBC configuration dialog you mention is asking for > an identitiy to use while defining the connection. It is not > the identity that will be used when the connection is used. > When the application instances the connection it can provide > credential to be used if those are for a SQL account. If one > uses windows integrate security, then the identity the owns > the process where the connection is established is what is > used. Either way, a Windows identity or a SQL account, > that identity needs to have been granted the needed login > and database permissions in SQL. > > -- > Roger Abell > Microsoft MVP (Windows Server System: Security) > MCDBA, MCSE W2k3+W2k+Nt4 > "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message > news:OuiLEQGhEHA.2812@tk2msftngp13.phx.gbl... > > Hi, > > > > Thank you for these suggestions: > > > > Solution 1 would cause a lot of "development" reworking so for now I would > > like to pursue your second solution. > > > > The problem I have now is in modifying the ODBC connection. The ODBC > > configuration dialog allows me to select either: > > "With Windows NT authentication using the network login ID" or > > "With SQL Server authentication using a longin ID and password entered by > > the user" > > > > If I use "With Windows NT authentication using the network login ID", how > > can I get the ODBC to use the computers security principal since the ODBC > > configuration dialog does not allow me to specify the user? Given that, > > won't the ODBC connection use the LocalSystem account since that is what > > WMI > > is running as [i.e. the original problem? > > > > If I use "With SQL Server authentication using a login ID and password > > entered by the user", how can I (doing the ODBC connection configuration) > > and the SQL sys. admin (specifying the computer principal as a valid user > > for the database instance) know the password of the computers security > > principal? > > > > Thanks in advance. > > > > "Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message > > news:u4Ohi76gEHA.384@TK2MSFTNGP10.phx.gbl... > >> WinMmgt was never tested in a different than LocalSystem account, > >> and, your mileage in running it as a different account can vary. > >> [BTW, in Win2000-SP4, the ability to run the WinMmgt.exe process > >> as a standalone DCOM server has been remoevd to avoid these problems]. > >> > >> For your problem, there are conceptually 2 solutions: > >> - make the Event-Provider a standalone provider, > >> and run that standalone DCOM component in a service (already suggested). > >> - enable Mixed-Mode or Windows Authentication in the SQL server, > >> be sure you have a Kerberos authentication infrastrucutre in place, > >> and use the machine account (MachineName$) > >> as the account who performs the query. > >> > >> Starting Win2000, the machine accounts are security principals, > >> and they can be trated as such. > >> > >> -- > >> This posting is provided "AS IS" with no warranties, and confers no > > rights. > >> Use of any included script samples are subject to the terms specified at > >> http://www.microsoft.com/info/cpyright.htm > >> > >> > >> "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message > >> news:eT0MZqZgEHA.596@TK2MSFTNGP11.phx.gbl... > >> > Hi All, > >> > > >> > I have a WMI Event Provider (hosted by WinMgmt since it is on Windows > >> 2000) > >> > which spawns another process (cmd.exe which invokes cscript.exe [i.e. a > >> > JScript]). This spawned process needs to open an ODBC connection to a > > SQL > >> > server on another computer in the network. WMI is currently running as > >> > (i.e. "Log on As") LocalSystem (again this is W2K). I tried to change > > the > >> > "Log on As" to a local system account that has the proper priviledges > >> > to > >> the > >> > ODBC connection. I verified that this account had the "Log on as a > >> service" > >> > local policy. When I try to start WMI using the new account though it > >> fails > >> > to start. The event log did not offer any clues. Does any one have > >> > any > >> > thoughts on: > >> > 1. What might be making WMI fail to start when it is changed from > >> > LocalSystem to another user account (do I need to change something in > >> > dcomcfg?) > >> > 2. If WMI has any dependency services and if so, do they need to be > >> changed > >> > to the other user account as well? > >> > 3. What security auditing can I enable to troubleshoot this type of > >> > problem? > >> > > >> > Thanks in advance, > >> > > >> > Anthony LaMark > >> > eXc Software > >> > > >> > > >> > >> > > > > > >
- Next message: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Previous message: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- In reply to: Roger Abell [MVP]: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
