Problem with CoSetProxyBlanket and WMI/WBEM, please help!!

CoSetProxyBlanket only works on standard proxies, not
on direct pointers (nor custom marshaled objects). Since
AFAIK WMI is in-proc, unless you have an incompatible
apartment type (which would not be possible if its threading
model is both), you can't set a security blanket on it.
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
email: ***@mvps.org
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Post by elazar
Hi,
I am trying to use CoSetProxyBlanket with WMI's scripting interface
and the call keeps returning with E_INVALIDINTERFACE(80004002). Heres
my scenario, I am a domain reseller, and I am handling DNS for my
customers. I want to give them access to their DNS records, and the
only way to do this is through WMI. I don't want to give the
IWAM_Computer account access to WMI because of security reasons. So
what I want to do is write a component to act as proxy between IIS and
WMI that will connect to WMI using different credentials. I copied the
code from Microsofts site that shows you how to use CoSetProxyBlanket
in Visual Basic(my preferred language), and it keeps failing. Heres
----------------------------------------------
249636 - How To Use the CoSetProxyBlanket Function in Visual Basic
http://support.microsoft.com/default.aspx?scid=kb;EN-US;249636
----------------------------------------------
Option Explicit
' Authentication service provider constants
' the default should be used.
Public Const RPC_C_AUTHN_NONE As Long = 0
Public Const RPC_C_AUTHN_WINNT As Long = 10
Public Const RPC_C_AUTHN_DEFAULT As Long = &HFFFFFFFF
' Authorization Services
Public Const RPC_C_AUTHZ_NONE As Long = 0
Public Const RPC_C_AUTHZ_NAME As Long = 1
Public Const RPC_C_AUTHZ_DCE As Long = 2
Public Const RPC_C_AUTHZ_DEFAULT As Long = &HFFFFFFFF
' Authentication level constants
Public Const RPC_C_AUTHN_LEVEL_DEFAULT As Long = 0
Public Const RPC_C_AUTHN_LEVEL_NONE As Long = 1
Public Const RPC_C_AUTHN_LEVEL_CONNECT As Long = 2
Public Const RPC_C_AUTHN_LEVEL_CALL As Long = 3
Public Const RPC_C_AUTHN_LEVEL_PKT As Long = 4
Public Const RPC_C_AUTHN_LEVEL_PKT_INTEGRITY As Long = 5
Public Const RPC_C_AUTHN_LEVEL_PKT_PRIVACY As Long = 6
' Impersonation level constants
Public Const RPC_C_IMP_LEVEL_ANONYMOUS As Long = 1
Public Const RPC_C_IMP_LEVEL_IDENTIFY As Long = 2
Public Const RPC_C_IMP_LEVEL_IMPERSONATE As Long = 3
Public Const RPC_C_IMP_LEVEL_DELEGATE As Long = 4
' Constants for the capabilities
Public Const API_NULL As Long = 0
Public Const S_OK As Long = 0
Public Const EOAC_NONE As Long = &H0
Public Const EOAC_MUTUAL_AUTH As Long = &H1
Public Const EOAC_CLOAKING As Long = &H10
Public Const EOAC_SECURE_REFS As Long = &H2
Public Const EOAC_ACCESS_CONTROL As Long = &H4
Public Const EOAC_APPID As Long = &H8
' Function Declaration
Public Declare Function CoSetProxyBlanket Lib "OLE32.DLL" ( _
ByVal pSD As Object, _
ByVal dwAuthnSvc As Long, _
ByVal dwAuthzSvc As Long, _
ByVal pServerPrincName As Long, _
ByVal dwAuthnlevel As Long, _
ByVal dwImpLevel As Long, _
ByVal pAuthInfo As Long, _
ByVal dwCapabilities As Long _
) As Long
'the object is institiated this way(not with the 'New' statement)
so that security can be set before the object is created.
Dim MyObj As MyLib.MyClass 'substitute MyLib.MyClass with
WBEMScripting.SWBEMLocator
Dim MyUnk As stdole.IUnknown
Dim hr As Long
' instantiate object requesting IUnknown interface
Set MyUnk = New MyLib.MyClass
' setting security on IUnknown
hr = CoSetProxyBlanket(MyUnk, _
RPC_C_AUTHN_WINNT, _
RPC_C_AUTHZ_DEFAULT, _
ByVal API_NULL, _
RPC_C_AUTHN_LEVEL_NONE, _
RPC_C_IMP_LEVEL_IDENTIFY, _
API_NULL, _
EOAC_NONE)
If (S_OK <> hr) Then
" _
& hr & " 0x", vbCritical, "CoSetProxyBlanket Failure"
Exit Sub ' or Exit Function
End If
' Quering for the default interface
Set MyObj = MyUnk
' setting security on the default interface
hr = CoSetProxyBlanket(MyObj, _
RPC_C_AUTHN_WINNT, _
RPC_C_AUTHZ_DEFAULT, _
ByVal API_NULL, _
RPC_C_AUTHN_LEVEL_NONE, _
RPC_C_IMP_LEVEL_IDENTIFY, _
API_NULL, _
EOAC_NONE)
If (S_OK <> hr) Then
MsgBox "CoSetProxyBlanket failed with error code: " & hr & "
0x" _
, vbCritical, "CoSetProxyBlanket Failure"
Exit Sub ' or Exit Function
End If
' you can now call methods in your object
MyObj.MyMethod
--------------------------------------------------------------------------

-----

Post by elazar
I think its failing because no interface is created until the
ConnectServer(method of SWBEMLocator class) function is called, but I
don't know for sure. If anyone can enlighten me on this, it would be
much appreciated. If you post any code, please try to do it in Visual
Basic as that is my stronger language(I can understand VC++ too, but
not as well). You can e-mail me or post a reply.
Thanks,
Elazar

elazar

2004-08-08 01:55:04 UTC

Then how would I set security on the WMBEM locator interface?

Post by Alexander Nickolov
CoSetProxyBlanket only works on standard proxies, not
on direct pointers (nor custom marshaled objects). Since
AFAIK WMI is in-proc, unless you have an incompatible
apartment type (which would not be possible if its threading
model is both), you can't set a security blanket on it.
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

-----

Alexander Nickolov

2004-08-09 17:38:38 UTC

You impersonate another user on the thread that you call it from.
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
email: ***@mvps.org
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Post by elazar
Then how would I set security on the WMBEM locator interface?

--------------------------------------------------------------------------

elazar

2004-08-11 04:05:54 UTC

How would I do this from active server pages? Would I have to write a
DLL that imports the WBEM locator interface and set COM+ permissions
on that DLL(which I would rather not do) to allow the IWAM_Computer
account to access it, or is there a way to do it with
CoInitializeSecurity?

Post by Alexander Nickolov
You impersonate another user on the thread that you call it from.
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Post by elazar
Then how would I set security on the WMBEM locator interface?

--------------------------------------------------------------------------

Alexander Nickolov

2004-08-11 06:05:02 UTC

Obviously not from the script directly, you need code written
in C++. Check out LogonUser, ImpersonateLoggedOnUser,
RevertToSelf. Using COM+ the way you suggest is even simpler,
just ensure your COM+ component is set to run in a separate
process and you can pick the user it runs under (I think). For
COM+ questions, your best bet would be:

microsoft.public.platformsdk.complus_mts
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
email: ***@mvps.org
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Post by elazar
How would I do this from active server pages? Would I have to write a
DLL that imports the WBEM locator interface and set COM+ permissions
on that DLL(which I would rather not do) to allow the IWAM_Computer
account to access it, or is there a way to do it with
CoInitializeSecurity?

Post by elazar
Then how would I set security on the WMBEM locator interface?

CoSetProxyBlanket

Post by Alexander Nickolov

Post by Alexander Nickolov

Post by elazar
in Visual Basic(my preferred language), and it keeps failing. Heres
----------------------------------------------
249636 - How To Use the CoSetProxyBlanket Function in Visual Basic
http://support.microsoft.com/default.aspx?scid=kb;EN-US;249636
----------------------------------------------
Option Explicit
' Authentication service provider constants
' the default should be used.
Public Const RPC_C_AUTHN_NONE As Long = 0
Public Const RPC_C_AUTHN_WINNT As Long = 10
Public Const RPC_C_AUTHN_DEFAULT As Long = &HFFFFFFFF
' Authorization Services
Public Const RPC_C_AUTHZ_NONE As Long = 0
Public Const RPC_C_AUTHZ_NAME As Long = 1
Public Const RPC_C_AUTHZ_DCE As Long = 2
Public Const RPC_C_AUTHZ_DEFAULT As Long = &HFFFFFFFF
' Authentication level constants
Public Const RPC_C_AUTHN_LEVEL_DEFAULT As Long = 0
Public Const RPC_C_AUTHN_LEVEL_NONE As Long = 1
Public Const RPC_C_AUTHN_LEVEL_CONNECT As Long = 2
Public Const RPC_C_AUTHN_LEVEL_CALL As Long = 3
Public Const RPC_C_AUTHN_LEVEL_PKT As Long = 4
Public Const RPC_C_AUTHN_LEVEL_PKT_INTEGRITY As Long = 5
Public Const RPC_C_AUTHN_LEVEL_PKT_PRIVACY As Long = 6
' Impersonation level constants
Public Const RPC_C_IMP_LEVEL_ANONYMOUS As Long = 1
Public Const RPC_C_IMP_LEVEL_IDENTIFY As Long = 2
Public Const RPC_C_IMP_LEVEL_IMPERSONATE As Long = 3
Public Const RPC_C_IMP_LEVEL_DELEGATE As Long = 4
' Constants for the capabilities
Public Const API_NULL As Long = 0
Public Const S_OK As Long = 0
Public Const EOAC_NONE As Long = &H0
Public Const EOAC_MUTUAL_AUTH As Long = &H1
Public Const EOAC_CLOAKING As Long = &H10
Public Const EOAC_SECURE_REFS As Long = &H2
Public Const EOAC_ACCESS_CONTROL As Long = &H4
Public Const EOAC_APPID As Long = &H8
' Function Declaration
Public Declare Function CoSetProxyBlanket Lib "OLE32.DLL" ( _
ByVal pSD As Object, _
ByVal dwAuthnSvc As Long, _
ByVal dwAuthzSvc As Long, _
ByVal pServerPrincName As Long, _
ByVal dwAuthnlevel As Long, _
ByVal dwImpLevel As Long, _
ByVal pAuthInfo As Long, _
ByVal dwCapabilities As Long _
) As Long
'the object is institiated this way(not with the 'New' statement)
so that security can be set before the object is created.
Dim MyObj As MyLib.MyClass 'substitute MyLib.MyClass with
WBEMScripting.SWBEMLocator
Dim MyUnk As stdole.IUnknown
Dim hr As Long
' instantiate object requesting IUnknown interface
Set MyUnk = New MyLib.MyClass
' setting security on IUnknown
hr = CoSetProxyBlanket(MyUnk, _
RPC_C_AUTHN_WINNT, _
RPC_C_AUTHZ_DEFAULT, _
ByVal API_NULL, _
RPC_C_AUTHN_LEVEL_NONE, _
RPC_C_IMP_LEVEL_IDENTIFY, _
API_NULL, _
EOAC_NONE)
If (S_OK <> hr) Then
" _
& hr & " 0x", vbCritical, "CoSetProxyBlanket Failure"
Exit Sub ' or Exit Function
End If
' Quering for the default interface
Set MyObj = MyUnk
' setting security on the default interface
hr = CoSetProxyBlanket(MyObj, _
RPC_C_AUTHN_WINNT, _
RPC_C_AUTHZ_DEFAULT, _
ByVal API_NULL, _
RPC_C_AUTHN_LEVEL_NONE, _
RPC_C_IMP_LEVEL_IDENTIFY, _
API_NULL, _
EOAC_NONE)
If (S_OK <> hr) Then
MsgBox "CoSetProxyBlanket failed with error code: " & hr & "
0x" _
, vbCritical, "CoSetProxyBlanket Failure"
Exit Sub ' or Exit Function
End If
' you can now call methods in your object
MyObj.MyMethod

--------------------------------------------------------------------------

Post by Alexander Nickolov

elazar

2004-08-11 06:59:54 UTC

Post by Alexander Nickolov
You impersonate another user on the thread that you call it from.

I did a little research on the LogonUser method and the
ImpersonateLoggedOnUser method. I know it is possible to do what I
need this way, however I know that Microsoft does not recommend this,
and this way takes up a nice amount of system resources. Is there any
other way to access WMI using a different user other than the one that
is making the call(i.e. the one that is logged on, or in IIS the
IWAM_Computer account) to it on the local machine?

Post by Alexander Nickolov
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Post by elazar
Then how would I set security on the WMBEM locator interface?

--------------------------------------------------------------------------