Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/20/04
- Next message: Roger Abell: "Re: Where can I get a simple user log....?"
- Previous message: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- In reply to: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Next in thread: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Aug 2004 08:07:26 -0700
Anthony,
I forgot to add, per your ?? about the $ on the machine account.
If you select the MachineName account with the object picker
you will be fine. The machine accounts in AD are created with
the (hidden) $ on the Sam account name if they are initially
created wth the UI or dsadd letting the Sam name default, but
the UI shows the name without the $.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message news:eJ5E%23HVhEHA.244@TK2MSFTNGP10.phx.gbl... > Hi Roger, > > Thanks! The computer does belong to a domain. Your answer was great but I > still have several specific questions before I can solve this security > problem: > > The problem: > > ComputerA's WMI service (running as LocalSystem) wants to use a System DSN > ODBC connection to one of ComputerB's MS SQL2000 database instances . Both > ComputerA and ComputerB are in the same domain. Currently, the "Open" > (using ADODB) of the ODBC connection fails (BTW but works just fine if you > run as the interactive user). > > What you taught me: > > If a server is in a domain, it actually has its own security principal > called MachineName$ (BTW should the $ be taken literally?). If you want a > service (running as LocalSystem) running on the server to be able to access > "network resources" (in this case, to use ODBC to access a database on > another computer within the domain) then you can modify the "network > resources" Access Control Lists (ACLs...specifically DACLs) by adding the > MachineName$ via Active Directory and giving the LocalSystem account local > priveledges to access these "network resources". > > What I don't understand: > > 1. When a service/process opens an ODBC connection, what are the "network > resources" (AccessCheck'ed) that get performed given that the ODBC > connection is on a different computer (see "The problem" above)? > What "network resources" do these AccessChecks get applied to? My guess > would be: > A. Network access > B. ComputerB > C. The SQL database > 2. What priveledges (using the Local Security Policy?) do I need to give to > the LocalSystem account? > 3. Do I need to do anything to the MachineName$ account in AD other than > modifying the "network resources" ACLs? > > Thanks for your patience and help in this matter, > > Anthony LaMark > eXc Software > > > > So, based on what you said, can I go to AD and give the computer > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:efwntUMhEHA.3944@tk2msftngp13.phx.gbl... > > A computer principal will have no rights beyond itself if not in > > a domain. > > The ODBC configuration dialog you mention is asking for > > an identitiy to use while defining the connection. It is not > > the identity that will be used when the connection is used. > > When the application instances the connection it can provide > > credential to be used if those are for a SQL account. If one > > uses windows integrate security, then the identity the owns > > the process where the connection is established is what is > > used. Either way, a Windows identity or a SQL account, > > that identity needs to have been granted the needed login > > and database permissions in SQL. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Server System: Security) > > MCDBA, MCSE W2k3+W2k+Nt4 > > "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message > > news:OuiLEQGhEHA.2812@tk2msftngp13.phx.gbl... > > > Hi, > > > > > > Thank you for these suggestions: > > > > > > Solution 1 would cause a lot of "development" reworking so for now I > would > > > like to pursue your second solution. > > > > > > The problem I have now is in modifying the ODBC connection. The ODBC > > > configuration dialog allows me to select either: > > > "With Windows NT authentication using the network login ID" or > > > "With SQL Server authentication using a longin ID and password entered > by > > > the user" > > > > > > If I use "With Windows NT authentication using the network login ID", > how > > > can I get the ODBC to use the computers security principal since the > ODBC > > > configuration dialog does not allow me to specify the user? Given that, > > > won't the ODBC connection use the LocalSystem account since that is what > > > WMI > > > is running as [i.e. the original problem? > > > > > > If I use "With SQL Server authentication using a login ID and password > > > entered by the user", how can I (doing the ODBC connection > configuration) > > > and the SQL sys. admin (specifying the computer principal as a valid > user > > > for the database instance) know the password of the computers security > > > principal? > > > > > > Thanks in advance. > > > > > > "Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message > > > news:u4Ohi76gEHA.384@TK2MSFTNGP10.phx.gbl... > > >> WinMmgt was never tested in a different than LocalSystem account, > > >> and, your mileage in running it as a different account can vary. > > >> [BTW, in Win2000-SP4, the ability to run the WinMmgt.exe process > > >> as a standalone DCOM server has been remoevd to avoid these problems]. > > >> > > >> For your problem, there are conceptually 2 solutions: > > >> - make the Event-Provider a standalone provider, > > >> and run that standalone DCOM component in a service (already > suggested). > > >> - enable Mixed-Mode or Windows Authentication in the SQL server, > > >> be sure you have a Kerberos authentication infrastrucutre in place, > > >> and use the machine account (MachineName$) > > >> as the account who performs the query. > > >> > > >> Starting Win2000, the machine accounts are security principals, > > >> and they can be trated as such. > > >> > > >> -- > > >> This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > >> Use of any included script samples are subject to the terms specified > at > > >> http://www.microsoft.com/info/cpyright.htm > > >> > > >> > > >> "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message > > >> news:eT0MZqZgEHA.596@TK2MSFTNGP11.phx.gbl... > > >> > Hi All, > > >> > > > >> > I have a WMI Event Provider (hosted by WinMgmt since it is on Windows > > >> 2000) > > >> > which spawns another process (cmd.exe which invokes cscript.exe [i.e. > a > > >> > JScript]). This spawned process needs to open an ODBC connection to > a > > > SQL > > >> > server on another computer in the network. WMI is currently running > as > > >> > (i.e. "Log on As") LocalSystem (again this is W2K). I tried to > change > > > the > > >> > "Log on As" to a local system account that has the proper priviledges > > >> > to > > >> the > > >> > ODBC connection. I verified that this account had the "Log on as a > > >> service" > > >> > local policy. When I try to start WMI using the new account though > it > > >> fails > > >> > to start. The event log did not offer any clues. Does any one have > > >> > any > > >> > thoughts on: > > >> > 1. What might be making WMI fail to start when it is changed from > > >> > LocalSystem to another user account (do I need to change something in > > >> > dcomcfg?) > > >> > 2. If WMI has any dependency services and if so, do they need to be > > >> changed > > >> > to the other user account as well? > > >> > 3. What security auditing can I enable to troubleshoot this type of > > >> > problem? > > >> > > > >> > Thanks in advance, > > >> > > > >> > Anthony LaMark > > >> > eXc Software > > >> > > > >> > > > >> > > >> > > > > > > > > > > > >
- Next message: Roger Abell: "Re: Where can I get a simple user log....?"
- Previous message: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- In reply to: Anthony LaMark: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Next in thread: Roger Abell: "Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
