3

On my new Azure 2012r2 boxes in a DMZ I can't get a WMI query to work with a FQDN reference. These queries run from the local machine, but need to reference it by FQDN to work with our monitoring solution.

It is erroring out with 'access is denied'. The hostname, public IP, loopback all work perfectly. How do I fix this? 

$objSWbemLocator = New-Object -comobject WbemScripting.SWbemLocator
$objSWbemServices = $objSWbemLocator.ConnectServer("passport.external.mydomain.org") <-- Broken
$objSWbemServices = $objSWbemLocator.ConnectServer("passport")
$objSWbemServices = $objSWbemLocator.ConnectServer("127.0.0.1")
$objSWbemServices = $objSWbemLocator.ConnectServer("10.15.14.7")

I did some digging and it looks like I'm getting a network logon failure corresponding to these WMI issues. It varies slightly - depending on if I've added passport.external.mydomain.org to the HOSTS file on the loopback address - but it's always logon type 3 (network) with a status of 0xC000006D (bad username or authentication information).

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113

1 Answers1

4

This is a security measure, in place to deter attacks that rely on pointing remote service names back to the loopback address (127.0.0.1) for further exploitation.

You can allow certain FQDNs to represent the loopback interface, by disabling strict name checking and adding the FQDNs to the registry:

Disable strict name checking:

Set-ItemProperty HKLM:\System\CurrentControlSet\Services\LanmanServer\Parameters DisableStrictNameChecking -Value 1 -Type DWord -Force

Add the FQDNs to the registry:

Set-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0 BackConnectionHostNames -Value "passport.external.mydomain.org" -Type MultiString -Force
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • 1
    Thanks Mathias you are a life saver. I had found the strict name checking information shortly after posting but not adding the FQDNS to the registry. – Tim Brigham Sep 23 '16 at 13:34