none
ConnectionOptions remote WMI login failures

    Question

  •  

    I wrote a C# program to run remote WMI queries on servers for monitoring purposes.  The script supplies login credentials to the remote server, it's working well and I'm able to get data from the queries.  However, when I run the program it is creating several audit failure events on the remote server.  The failed login requests are not the credentials from the script, instead they are from the local machine name and account that the script is running on, which isn't what I want.  The remote servers  are Server 2008 machines, and are joined to a domain.  The program supplies domain\username, and the password.

    I haven't had any luck researching this on the net, I'm not sure if it's something that needs to be changed in my program, or settings on the remote servers?

     

    Here is the part of the script that deals with the remote connection, I have tried using many different authentication and impersonation options.

     

     public void MakeConnection()
     {
      oConn = new ConnectionOptions();
      oConn.Username = Parser.GetUserName();
      oConn.Password = Parser.GetPassWord();
      oConn.Authentication = AuthenticationLevel.Call;
      oConn.Impersonation = ImpersonationLevel.Impersonate;  
    
     }
    
     public void DoCheck()
     {
      ObjectQuery oQuery = new ObjectQuery("SELECT Name, " + Parser.GetAttrib() + " FROM " + Parser.GetClass() + " WHERE Name = \'" + Parser.GetName() + "\'");
      ManagementObjectSearcher query = new ManagementObjectSearcher(oMs, oQuery);
    }
    

    Edit:  The Audit failures are Event ID: 4625 and Event ID: 4776

     

    Thanks,

    Daniel

    Wednesday, May 05, 2010 11:32 PM

Answers

  • Hi Daniel,

    What you can do here is use powershell. It will help you a lot. The remoting feature is really awesome.You can have a script block which you can invoke on remote machines simultaneously all with one credential provided this credential is an admin on all your LAN machine.

    here is an example.

    $computers = @("machine1","machine2")
    [ScriptBlock] $script = {

                $processor=gwmi win32_processor -ComputerName $MachineName
                $os=gwmi win32_operatingsystem -ComputerName $MachineName
                $mem=gwmi win32_computersystem -ComputerName $MachineName
               
                foreach($p in $rocessor)
                {
                    $p.Name
                }
                $os.Caption
                $mem.TotalPhysicalMemory
    }
    $cred = Get-Credential
    $sessions = $computers | New-PSSession -Credential $cred
    Invoke-Command -ScriptBlock $script -Session $sessions
    $sessions | Remove-PSSession

    The code is not tested. The best part is the script block gets executed simultaneously on each machine rather than serially in C#.

    I hope this was helpful.

    Thursday, May 27, 2010 11:12 AM
  • Thanks for your answer.  I actually found a solution that fixed the my C# app so I'm using it for now.  I'll keep your powershell solution in mind.

    To anyone who has the same issue with .net, I found that there is an issue with WMI and the System.Management namespace in .net framwork 2.0: http://support.microsoft.com/kb/967622/en-us?p=1#appliesto

    I rebuilt the C# .exe targeting .net framework 4.0, and installed .net 4.0 framework on the monitoring server that runs the queries on the remote servers. 

     

    Running a remote wmi query using the new .net 4.0 exe works and does not create any failure audit events on the remote servers.

    Running the same remote wmi query using the old .net 2.0 exe works but creates several failure audit events on the remote servers.

    Saturday, May 29, 2010 7:32 PM

All replies

  • Hi Daniel,

    What you can do here is use powershell. It will help you a lot. The remoting feature is really awesome.You can have a script block which you can invoke on remote machines simultaneously all with one credential provided this credential is an admin on all your LAN machine.

    here is an example.

    $computers = @("machine1","machine2")
    [ScriptBlock] $script = {

                $processor=gwmi win32_processor -ComputerName $MachineName
                $os=gwmi win32_operatingsystem -ComputerName $MachineName
                $mem=gwmi win32_computersystem -ComputerName $MachineName
               
                foreach($p in $rocessor)
                {
                    $p.Name
                }
                $os.Caption
                $mem.TotalPhysicalMemory
    }
    $cred = Get-Credential
    $sessions = $computers | New-PSSession -Credential $cred
    Invoke-Command -ScriptBlock $script -Session $sessions
    $sessions | Remove-PSSession

    The code is not tested. The best part is the script block gets executed simultaneously on each machine rather than serially in C#.

    I hope this was helpful.

    Thursday, May 27, 2010 11:12 AM
  • Thanks for your answer.  I actually found a solution that fixed the my C# app so I'm using it for now.  I'll keep your powershell solution in mind.

    To anyone who has the same issue with .net, I found that there is an issue with WMI and the System.Management namespace in .net framwork 2.0: http://support.microsoft.com/kb/967622/en-us?p=1#appliesto

    I rebuilt the C# .exe targeting .net framework 4.0, and installed .net 4.0 framework on the monitoring server that runs the queries on the remote servers. 

     

    Running a remote wmi query using the new .net 4.0 exe works and does not create any failure audit events on the remote servers.

    Running the same remote wmi query using the old .net 2.0 exe works but creates several failure audit events on the remote servers.

    Saturday, May 29, 2010 7:32 PM