locked
Access Denied Error when adding DNS entry via WMI RRS feed

  • Question

  • I'm trying to add DNS entries via WMI, and it works on 2 servers (one is a DC and the other is a standalone DNS server). We're moving the DNS server off the currently standalone server to a server which also hosts IIS.  The DNS entries are added/changed/deleted via a webservice call (therefore executed as the app pool user). 

    This is the error I'm getting

    Generic failure 

     at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

    <INSTANCE CLASSNAME="__ExtendedStatus">
    	<QUALIFIER NAME="abstract" PROPAGATED="true" TYPE="boolean" OVERRIDABLE="false" TOINSTANCE="true">
    		<VALUE>TRUE</VALUE>
    	</QUALIFIER>
    	<PROPERTY NAME="__PATH" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    	<PROPERTY NAME="__NAMESPACE" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    	<PROPERTY NAME="__SERVER" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    	<PROPERTY.ARRAY NAME="__DERIVATION" CLASSORIGIN="___SYSTEM" TYPE="string">
    		<VALUE.ARRAY>
    			<VALUE>__NotifyStatus</VALUE>
    		</VALUE.ARRAY>
    	</PROPERTY.ARRAY>
    	<PROPERTY NAME="__PROPERTY_COUNT" CLASSORIGIN="___SYSTEM" TYPE="sint32">
    		<VALUE>5</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="__RELPATH" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    	<PROPERTY NAME="__DYNASTY" CLASSORIGIN="___SYSTEM" TYPE="string">
    		<VALUE>__NotifyStatus</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="__SUPERCLASS" CLASSORIGIN="___SYSTEM" TYPE="string">
    		<VALUE>__NotifyStatus</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="__CLASS" CLASSORIGIN="___SYSTEM" TYPE="string">
    		<VALUE>__ExtendedStatus</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="__GENUS" CLASSORIGIN="___SYSTEM" TYPE="sint32">
    		<VALUE>2</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="Description" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    		<QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    			<VALUE>string</VALUE>
    		</QUALIFIER>
    		<VALUE>ERROR_ACCESS_DENIED</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="Operation" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    		<QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    			<VALUE>string</VALUE>
    		</QUALIFIER>
    		<VALUE>ExecQuery</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="ParameterInfo" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    		<QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    			<VALUE>string</VALUE>
    		</QUALIFIER>
    		<VALUE>SELECT * FROM MicrosoftDNS_ResourceRecord WHERE DomainName='paretoplatform.com'</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="ProviderName" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    		<QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    			<VALUE>string</VALUE>
    		</QUALIFIER>
    		<VALUE>WinMgmt</VALUE>
    	</PROPERTY>
    	<PROPERTY NAME="StatusCode" CLASSORIGIN="__NotifyStatus" PROPAGATED="true" TYPE="uint32">
    		<QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    			<VALUE>uint32</VALUE>
    		</QUALIFIER>
    	</PROPERTY>
    </INSTANCE>

    I've tried in WMI security settings -> MicrosoftDNS that BOTH the app pool user and the executing user have all permissions as well as both administrators on the machine.

    Am I missing something?


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here


    Monday, April 2, 2012 6:18 PM

All replies

  • Hi Paulo,

    Please ask it on WMI forum.

    Have a nice day.


    Ghost,
    Call me ghost for short, Thanks
    To get the better anwser, it should be a better question.

    Wednesday, April 4, 2012 8:26 AM
  • Hi Paulo,

    Please ask it on WMI forum.

    Have a nice day.

    Can you point me to where the wmi forum is? I do not see it in the list of forums and doing a search for wmi queries returns posts mostly in this forum.

    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Wednesday, April 4, 2012 4:17 PM
  • Hi Paulo,

    Try this forum first: http://social.microsoft.com/Forums/sv/whatforum 

    Have a nice day.


    Ghost,
    Call me ghost for short, Thanks
    To get the better anwser, it should be a better question.

    Thursday, April 5, 2012 5:31 AM
  • They just referred me back to my own post.

    The part that is bothering me about this issue is the exact same stuff works fine against other machines. The only difference I can see is that the executing user is an asp apppool (which also has all the necessary privileges).


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Thursday, April 12, 2012 4:05 PM
  • Hi Paulo,

    So keep the proper user executing the code.

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa394603(v=vs.85).aspx

    0x80070005 – E_ACCESS_DENIED
    Access denied by DCOM security.
    The user does not have remote access to the computer through DCOM. Typically, DCOM errors occur when connecting to a remote computer with a different operating system version. Give the user Remote Launch and Remote Activation permissions in dcomcnfg. Right-click My Computer-> Properties Under COM Security, click "Edit Limits" for both sections. Give the user you want remote access, remote launch, and remote activation. Then go to DCOM Config, find "Windows Management Instrumentation", and give the user you want Remote Launch and Remote Activation. For more information, see Connecting Between Different Operating Systems

    0x80041003 – WMI Access Denied
    Access denied by a provider
    The user does not have permission to perform the operation in WMI. This could happen when you query certain classes as a low-rights user, but most often happens when you attempt to invoke methods or change WMI instances as a low rights user. The namespace you are connecting to is encrypted, and the user is attempting to connect with an unencrypted connection Give the user access with the WMI Control (make sure they have Remote_Access set to true) Connect using a client that supports encryption.

    Have a nice day.


    Ghost,
    Call me ghost for short, Thanks
    To get the better anwser, it should be a better question.

    Friday, April 13, 2012 2:52 AM
  • 0x80041003 – WMI Access Denied

    Access denied by a provider
    The user does not have permission to perform the operation in WMI. This could happen when you query certain classes as a low-rights user, but most often happens when you attempt to invoke methods or change WMI instances as a low rights user. The namespace you are connecting to is encrypted, and the user is attempting to connect with an unencrypted connection Give the user access with the WMI Control (make sure they have Remote_Access set to true) Connect using a client that supports encryption.

     Thanks for the link Ghost, I hadn't come across that in my searches. The above error is the one I'm getting when running in a non-elevated context. However I don't know of any way of running (also its not really secure) the iis app pool in an elevated context... Any suggestions?


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Friday, April 13, 2012 5:14 PM
  • Hi Paulo,

    If it is not secure issue. It should be "with an unencrypted connection". http://msdn.microsoft.com/en-us/library/windows/desktop/aa393266(v=vs.85).aspx

    Have a nice day.


    Ghost,
    Call me ghost for short, Thanks
    To get the better anwser, it should be a better question.

    Monday, April 16, 2012 2:30 AM

  • If it is not secure issue. It should be "with an unencrypted connection". http://msdn.microsoft.com/en-us/library/windows/desktop/aa393266(v=vs.85).aspx

     Sorry, I wasn't very clear in my response. What I was saying is not secure is running the app pool process in an elevated context. Also that link you sent is for calling wmi remotely. This is a call on the local machine.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Monday, April 16, 2012 1:22 PM
  • Hi Paulo,

    But you have mentioned you work with two servers all the time...

    Have a nice day.


    Ghost,
    Call me ghost for short, Thanks
    To get the better anwser, it should be a better question.

    Tuesday, April 17, 2012 6:14 AM
  • Again, I'm sorry I didn't make that as clear as I should have. 

    Current situation:

    WMI Call to local machine from IIS as the apppool user results in a ManagementException: Generic Failure with information quoted in the first post (ERROR_ACCESS_DENIED)

    Other Information:

    • Works fine calling from the IIS box to the DC to update the DNS names (remote call, same permissions setup)
    • Making the same query from an administrator context works, however not as normal user context

    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, April 17, 2012 2:34 PM
  • Hi paulo,

    Because the exception message, my only suggestion is the documentation I have posted, and no more. I am sorry I cannot help you to resolve this issue.

    I hope some other one can jump into this thread.

    Have a nice day.


    Ghost,
    Call me ghost for short, Thanks
    To get the better answer, it should be a better question.

    Wednesday, April 18, 2012 6:08 AM
  • Maybe this thread is too old to other members to jump in, you may try to post a new one.

    Ghost,
    Call me ghost for short, Thanks
    To get the better answer, it should be a better question.

    Wednesday, April 18, 2012 6:09 AM