Categories

WMI, WSMAN, CIM and Authentication

Authentication parameters in WMI, WSMAN and the new CIM cmdlets can be confusing.

The PowerShell WMI cmdlets have an Authentication parameter that uses DCOM authentication. Using the Authentication parameter with the WMI cmdlets was explained here
http://msmvps.com/blogs/richardsiddaway/archive/2011/08/04/authentication-impersonation-and-privileges.aspx

 


This is not present on the WSMAN cmdlets (in PowerShell v2 and v3 CTP 2) and the new CIM cmdlets (in PowerShell v3 CTP 2)

 

The Authentication parameter is not required on the WSMAN and CIM cmdlets as it provides DCOM authentication. WSMAN bypasses DCOM and by default the CIM cmdlets use WSMAN to access remote machines.

 

The following tests are all run in a Windows 2008 R2 domain.

We will use the IIS WMI provider because it explicitly requires Packet Privacy for remote access

Target is Microsoft Windows Web Server 2008 R2 SP 1.  PS Remoting is emabled to ensure WSMAN configured.
PowerShell v2 is installed.

Running locally on the target
Get-WmiObject -Namespace 'root\webadministration' -Class Site

works as we would expect

############################################################################################
Running the same command from a different machine:
Windows 2008 R2 SP 1 with PowerShell v2.  This machine is a domain controller

PS> Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr201
Get-WmiObject : Access denied
At line:1 char:14
+ Get-WmiObject <<<<  -Namespace 'root\webadministration' -Class Site -ComputerName webr201
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

PS> Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr201 -Authentication 6


__GENUS                    : 2
__CLASS                    : Site
__SUPERCLASS               : ConfiguredObject
__DYNASTY                  : Object
__RELPATH                  : Site.Name="Default Web Site"
__PROPERTY_COUNT           : 10
__DERIVATION               : {ConfiguredObject, Object}
__SERVER                   : WEBR201
__NAMESPACE                : root\webadministration
__PATH                     : \\WEBR201\root\webadministration:Site.Name="Default Web Site"
ApplicationDefaults        : System.Management.ManagementBaseObject
Bindings                   : {System.Management.ManagementBaseObject}
FtpServer                  : System.Management.ManagementBaseObject
Id                         : 1
Limits                     : System.Management.ManagementBaseObject
LogFile                    : System.Management.ManagementBaseObject
Name                       : Default Web Site
ServerAutoStart            : True
TraceFailedRequestsLogging : System.Management.ManagementBaseObject
VirtualDirectoryDefaults   : System.Management.ManagementBaseObject


Notice we need the -Authentication 6 (enables Packet Privacy DCOM authentication)

using the WSMAN cmdlets

PS> $uri = "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/*"
PS> $filter = "SELECT * FROM Site"
PS> Get-WSManInstance -ResourceURI $uri -Enumerate -Dialect WQL -Filter $filter -ComputerName webr201


xsi                        : http://www.w3.org/2001/XMLSchema-instance
p                          : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/Site
cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
type                       : p:Site_Type
lang                       : en-US
ApplicationDefaults        : ApplicationDefaults
Bindings                   : Bindings
FtpServer                  : FtpServer
Id                         : 1
Limits                     : Limits
LogFile                    : LogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryDefaults


Notice that we don't have to use an -Authentication parameter because we are not using DCOM

##########################################################################################
Repeat test on non domain controller
Windows 7 SP 1 PowerShell 2

PS> Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr201
Get-WmiObject : Access denied
At line:1 char:14
+ Get-WmiObject <<<<  -Namespace 'root\webadministration' -Class Site -ComputerName webr201
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

PS> Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr201 -Authentication 6


__GENUS                    : 2
__CLASS                    : Site
__SUPERCLASS               : ConfiguredObject
__DYNASTY                  : Object
__RELPATH                  : Site.Name="Default Web Site"
__PROPERTY_COUNT           : 10
__DERIVATION               : {ConfiguredObject, Object}
__SERVER                   : WEBR201
__NAMESPACE                : root\webadministration
__PATH                     : \\WEBR201\root\webadministration:Site.Name="Default Web Site"
ApplicationDefaults        : System.Management.ManagementBaseObject
Bindings                   : {System.Management.ManagementBaseObject}
FtpServer                  : System.Management.ManagementBaseObject
Id                         : 1
Limits                     : System.Management.ManagementBaseObject
LogFile                    : System.Management.ManagementBaseObject
Name                       : Default Web Site
ServerAutoStart            : True
TraceFailedRequestsLogging : System.Management.ManagementBaseObject
VirtualDirectoryDefaults   : System.Management.ManagementBaseObject


Now WSMAN

PS> $uri = "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/*"
PS> $filter = "SELECT * FROM Site"
PS> Get-WSManInstance -ResourceURI $uri -Enumerate -Dialect WQL -Filter $filter -ComputerName webr201


xsi                        : http://www.w3.org/2001/XMLSchema-instance
p                          : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/Site
cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
type                       : p:Site_Type
lang                       : en-US
ApplicationDefaults        : ApplicationDefaults
Bindings                   : Bindings
FtpServer                  : FtpServer
Id                         : 1
Limits                     : Limits
LogFile                    : LogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryDefaults


#############################################################################################
Repeat on Windows 7 SP 1 running PowerShell v3 CTP 2

PS> Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr201
Get-WmiObject : Access denied
At line:1 char:1
+ Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

PS> Get-WmiObject -Namespace 'root\webadministration' -Class Site -ComputerName webr201 -Authentication 6


__GENUS                    : 2
__CLASS                    : Site
__SUPERCLASS               : ConfiguredObject
__DYNASTY                  : Object
__RELPATH                  : Site.Name="Default Web Site"
__PROPERTY_COUNT           : 10
__DERIVATION               : {ConfiguredObject, Object}
__SERVER                   : WEBR201
__NAMESPACE                : root\webadministration
__PATH                     : \\WEBR201\root\webadministration:Site.Name="Default Web Site"
ApplicationDefaults        : System.Management.ManagementBaseObject
Bindings                   : {System.Management.ManagementBaseObject}
FtpServer                  : System.Management.ManagementBaseObject
Id                         : 1
Limits                     : System.Management.ManagementBaseObject
LogFile                    : System.Management.ManagementBaseObject
Name                       : Default Web Site
ServerAutoStart            : True
TraceFailedRequestsLogging : System.Management.ManagementBaseObject
VirtualDirectoryDefaults   : System.Management.ManagementBaseObject
PSComputerName             : WEBR201

Now repeat the WSMAN test
PS> $uri = "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/*"
PS> $filter = "SELECT * FROM Site"
PS> Get-WSManInstance -ResourceURI $uri -Enumerate -Dialect WQL -Filter $filter -ComputerName webr201


xsi                        : http://www.w3.org/2001/XMLSchema-instance
p                          : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/Site
cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
type                       : p:Site_Type
lang                       : en-US
ApplicationDefaults        : ApplicationDefaults
Bindings                   : Bindings
FtpServer                  : FtpServer
Id                         : 1
Limits                     : Limits
LogFile                    : LogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryDefaults

#############################################################################################
Now we look at the CIM cmdlets. They use WSMAN by default as the remote access mechanism
Windows 7 SP 1 with PowerShell v3 CTP 2

PS> Get-CimInstance -ClassName site -Namespace 'root/webadministration' -ComputerName Webr201
Get-CimInstance : The WS-Management service cannot process the request. A DMTF resource URI was used to access a
non-DMTF class. Try again using a non-DMTF resource URI.
At line:1 char:1
+ Get-CimInstance -ClassName site -Namespace 'root/webadministration' -ComputerNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Win7Test.Manticore.org:) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : 2150859065,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand


Now lets install PowerShell v3 CTP 2 on the remote machine and repeat. Remember that .NET 4 is required for PowerShell v3

PS> Get-CimInstance -ClassName site -Namespace 'root/webadministration' -ComputerName Webr201


ApplicationDefaults        : ApplicationElementDefaults
Bindings                   : {BindingElement (Protocol = "http"), BindingElement (Protocol = "net.tcp"),
                             BindingElement (Protocol = "net.pipe"), BindingElement (Protocol = "net.msmq")...}
FtpServer                  : FtpServerSettings
Id                         : 1
Limits                     : SiteLimits
LogFile                    : SiteLogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryElementDefaults

This now works because the WSMAN stacks on the local and remote machine are now running at version 3.0

Conclusions
1. To access the root\webadministration classes locally via WMI cmdlets we use the default DCOM authentication
2. To access the root\webadministration classes remotely via WMI cmdlets we use Packet Privacy DCOM authentication (-Authentication 6) with PowerShell v2 or v3
3. To access the root\webadministration classes remotely via WSMAN cmdlets we don't need an Authentication parameter with PowerShell v2 or PowerShell v3
4. To access the root\webadministration classes remotely via CIM cmdlets the local and remote machine need to be running PowerShell v3 and WSMAN 3.0

Leave a Reply