PowerShell for Windows Admins

Dec 10 2011   6:26AM GMT

WMI, WSMAN, CIM and Authentication

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Authentication parameters in WMI, WSMAN and the new CIM cmdlets can be confusing.

The PowerShell WMI cmdlets have an Authentication parameter that uses DCOM authentication. Using the Authentication parameter with the WMI cmdlets was explained here
http://msmvps.com/blogs/richardsiddaway/archive/2011/08/04/authentication-impersonation-and-privileges.aspx

 

This is not present on the WSMAN cmdlets (in PowerShell v2 and v3 CTP 2) and the new CIM cmdlets (in PowerShell v3 CTP 2)

 

The Authentication parameter is not required on the WSMAN and CIM cmdlets as it provides DCOM authentication. WSMAN bypasses DCOM and by default the CIM cmdlets use WSMAN to access remote machines.

 

The following tests are all run in a Windows 2008 R2 domain.

We will use the IIS WMI provider because it explicitly requires Packet Privacy for remote access

Target is Microsoft Windows Web Server 2008 R2 SP 1.  PS Remoting is emabled to ensure WSMAN configured.
PowerShell v2 is installed.

Running locally on the target
Get-WmiObject -Namespace ‘root\webadministration’ -Class Site

works as we would expect

############################################################################################
Running the same command from a different machine:
Windows 2008 R2 SP 1 with PowerShell v2.  This machine is a domain controller

PS> Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201
Get-WmiObject : Access denied
At line:1 char:14
+ Get-WmiObject <<<<  -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

PS> Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201 -Authentication 6

__GENUS                    : 2
__CLASS                    : Site
__SUPERCLASS               : ConfiguredObject
__DYNASTY                  : Object
__RELPATH                  : Site.Name="Default Web Site"
__PROPERTY_COUNT           : 10
__DERIVATION               : {ConfiguredObject, Object}
__SERVER                   : WEBR201
__NAMESPACE                : root\webadministration
__PATH                     : \\WEBR201\root\webadministration:Site.Name="Default Web Site"
ApplicationDefaults        : System.Management.ManagementBaseObject
Bindings                   : {System.Management.ManagementBaseObject}
FtpServer                  : System.Management.ManagementBaseObject
Id                         : 1
Limits                     : System.Management.ManagementBaseObject
LogFile                    : System.Management.ManagementBaseObject
Name                       : Default Web Site
ServerAutoStart            : True
TraceFailedRequestsLogging : System.Management.ManagementBaseObject
VirtualDirectoryDefaults   : System.Management.ManagementBaseObject

Notice we need the -Authentication 6 (enables Packet Privacy DCOM authentication)

using the WSMAN cmdlets

PS> $uri = "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/*"
PS> $filter = "SELECT * FROM Site"
PS> Get-WSManInstance -ResourceURI $uri -Enumerate -Dialect WQL -Filter $filter -ComputerName webr201

xsi                        : http://www.w3.org/2001/XMLSchema-instance
p                          : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/Site
cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
type                       : p:Site_Type
lang                       : en-US
ApplicationDefaults        : ApplicationDefaults
Bindings                   : Bindings
FtpServer                  : FtpServer
Id                         : 1
Limits                     : Limits
LogFile                    : LogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryDefaults

Notice that we don’t have to use an -Authentication parameter because we are not using DCOM

##########################################################################################
Repeat test on non domain controller
Windows 7 SP 1 PowerShell 2

PS> Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201
Get-WmiObject : Access denied
At line:1 char:14
+ Get-WmiObject <<<<  -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

PS> Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201 -Authentication 6

__GENUS                    : 2
__CLASS                    : Site
__SUPERCLASS               : ConfiguredObject
__DYNASTY                  : Object
__RELPATH                  : Site.Name="Default Web Site"
__PROPERTY_COUNT           : 10
__DERIVATION               : {ConfiguredObject, Object}
__SERVER                   : WEBR201
__NAMESPACE                : root\webadministration
__PATH                     : \\WEBR201\root\webadministration:Site.Name="Default Web Site"
ApplicationDefaults        : System.Management.ManagementBaseObject
Bindings                   : {System.Management.ManagementBaseObject}
FtpServer                  : System.Management.ManagementBaseObject
Id                         : 1
Limits                     : System.Management.ManagementBaseObject
LogFile                    : System.Management.ManagementBaseObject
Name                       : Default Web Site
ServerAutoStart            : True
TraceFailedRequestsLogging : System.Management.ManagementBaseObject
VirtualDirectoryDefaults   : System.Management.ManagementBaseObject

Now WSMAN

PS> $uri = "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/*"
PS> $filter = "SELECT * FROM Site"
PS> Get-WSManInstance -ResourceURI $uri -Enumerate -Dialect WQL -Filter $filter -ComputerName webr201

xsi                        : http://www.w3.org/2001/XMLSchema-instance
p                          : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/Site
cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
type                       : p:Site_Type
lang                       : en-US
ApplicationDefaults        : ApplicationDefaults
Bindings                   : Bindings
FtpServer                  : FtpServer
Id                         : 1
Limits                     : Limits
LogFile                    : LogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryDefaults

#############################################################################################
Repeat on Windows 7 SP 1 running PowerShell v3 CTP 2

PS> Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201
Get-WmiObject : Access denied
At line:1 char:1
+ Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

PS> Get-WmiObject -Namespace ‘root\webadministration’ -Class Site -ComputerName webr201 -Authentication 6

__GENUS                    : 2
__CLASS                    : Site
__SUPERCLASS               : ConfiguredObject
__DYNASTY                  : Object
__RELPATH                  : Site.Name="Default Web Site"
__PROPERTY_COUNT           : 10
__DERIVATION               : {ConfiguredObject, Object}
__SERVER                   : WEBR201
__NAMESPACE                : root\webadministration
__PATH                     : \\WEBR201\root\webadministration:Site.Name="Default Web Site"
ApplicationDefaults        : System.Management.ManagementBaseObject
Bindings                   : {System.Management.ManagementBaseObject}
FtpServer                  : System.Management.ManagementBaseObject
Id                         : 1
Limits                     : System.Management.ManagementBaseObject
LogFile                    : System.Management.ManagementBaseObject
Name                       : Default Web Site
ServerAutoStart            : True
TraceFailedRequestsLogging : System.Management.ManagementBaseObject
VirtualDirectoryDefaults   : System.Management.ManagementBaseObject
PSComputerName             : WEBR201

Now repeat the WSMAN test
PS> $uri = "http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/*"
PS> $filter = "SELECT * FROM Site"
PS> Get-WSManInstance -ResourceURI $uri -Enumerate -Dialect WQL -Filter $filter -ComputerName webr201

xsi                        : http://www.w3.org/2001/XMLSchema-instance
p                          : http://schemas.microsoft.com/wbem/wsman/1/wmi/root/webadministration/Site
cim                        : http://schemas.dmtf.org/wbem/wscim/1/common
type                       : p:Site_Type
lang                       : en-US
ApplicationDefaults        : ApplicationDefaults
Bindings                   : Bindings
FtpServer                  : FtpServer
Id                         : 1
Limits                     : Limits
LogFile                    : LogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryDefaults

#############################################################################################
Now we look at the CIM cmdlets. They use WSMAN by default as the remote access mechanism
Windows 7 SP 1 with PowerShell v3 CTP 2

PS> Get-CimInstance -ClassName site -Namespace ‘root/webadministration’ -ComputerName Webr201
Get-CimInstance : The WS-Management service cannot process the request. A DMTF resource URI was used to access a
non-DMTF class. Try again using a non-DMTF resource URI.
At line:1 char:1
+ Get-CimInstance -ClassName site -Namespace ‘root/webadministration’ -ComputerNam …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Win7Test.Manticore.org:) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : 2150859065,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand

Now lets install PowerShell v3 CTP 2 on the remote machine and repeat. Remember that .NET 4 is required for PowerShell v3

PS> Get-CimInstance -ClassName site -Namespace ‘root/webadministration’ -ComputerName Webr201

ApplicationDefaults        : ApplicationElementDefaults
Bindings                   : {BindingElement (Protocol = "http"), BindingElement (Protocol = "net.tcp"),
                             BindingElement (Protocol = "net.pipe"), BindingElement (Protocol = "net.msmq")…}
FtpServer                  : FtpServerSettings
Id                         : 1
Limits                     : SiteLimits
LogFile                    : SiteLogFile
Name                       : Default Web Site
ServerAutoStart            : true
TraceFailedRequestsLogging : TraceFailedRequestsLogging
VirtualDirectoryDefaults   : VirtualDirectoryElementDefaults

This now works because the WSMAN stacks on the local and remote machine are now running at version 3.0

Conclusions
1. To access the root\webadministration classes locally via WMI cmdlets we use the default DCOM authentication
2. To access the root\webadministration classes remotely via WMI cmdlets we use Packet Privacy DCOM authentication (-Authentication 6) with PowerShell v2 or v3
3. To access the root\webadministration classes remotely via WSMAN cmdlets we don’t need an Authentication parameter with PowerShell v2 or PowerShell v3
4. To access the root\webadministration classes remotely via CIM cmdlets the local and remote machine need to be running PowerShell v3 and WSMAN 3.0

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: