5

I have an IIS 7.5 web site running "classic" ASP code (not ASP.NET) where the site is running under the normal service context, and only "Windows Authentication" is enabled. Users and navigate the site without any problem, regardless of having implicit admin rights on the IIS host or not (most do not). However, when I try to execute a common Win32_PingStatus request within the ASP code, it fails unless the user has admin rights on the IIS host. Here's my code...

On Error Resume Next
asset = "Computer123"

pingtest = False
query = "Select StatusCode, Address FROM Win32_PingStatus " & _
  "WHERE Address=" & Chr(34) & asset & Chr(34)
Set colPingStatus = GetObject("winmgmts:" &_ 
  "{impersonationLevel=impersonate}//./root/cimv2").ExecQuery(query)
If err.Number <> 0 Then
  Response.Write "Access Denied (error: " & err.Number & " / " & err.Description & ")"
  Response.End
End If

For Each objItem In colPingStatus
  If objItem.StatusCode = 0 Then
    pingtest = True
  End If
Next

If pingtest = False Then
  Response.Write asset & " is OFFLINE"
Else
  Response.Write asset & " is ONLINE"
End If

I've been trying to get my head around SWBEM and WMI impersonation capabilities, but I'm still confused as to whether it's even possible (supported or unsupported) to do this regardless of the user/browser session context. Every user is a Domain account, no anonymous users are able to access the site, so it seems (and I could be wrong) to be related to their group memberships and permissions on the IIS host.

  • what does the WMI and other logs say? It might be trying to run the WMI script with the current user's account, which would only work for admins – Lizz Feb 27 '13 at 04:55

1 Answers1

2

First is the trust level of your web site in IIS. Go into IIS and make sure it's set to full so your site can access internal server resources.

Next would be to double check that the users accessing the site are actually being authenticated and not running the code anonymously. Just to be sure check that anonymous authentication is disabled in iis and your site is forcing users to authenticate (disable ntlm automatic logon in your browser or write a user identification piece into your app to be doubly sure authentication is occuring).

Next would be to check wmi permissions for the type of users who are accessing your site. You can use wmimgmt.msc to open up the wmi security settings for your server. You can test out your wmi permissions by logging into your server with a regular user and try to execute wmi commands (you can use either powershell's get-wmiobject, wbemtest.exe or vbscript).

James Santiago
  • 876
  • 5
  • 11