locked
WMI MicrosoftDNS Query Access Denied Error RRS feed

  • Question

  • I'm trying to add DNS entries via WMI,. The DNS entries are created inside a webservice call process hosted in IIS (running as a specified app pool account), and changing DNS entries on the local machine.

    Here's the code that's failing:

    ConnectionOptions co = new ConnectionOptions();
    co.Impersonation = ImpersonationLevel.Impersonate;
    _scope = new ManagementScope(@"\\.\root\MicrosoftDNS", co);
    _scope.Connect();  
    string query = String.Format("SELECT * FROM MicrosoftDNS_ResourceRecord WHERE DomainName='{0}'", domain);
    ManagementObjectSearcher searcher = new ManagementObjectSearcher(_scope, new ObjectQuery(query));
     
    ManagementObjectCollection collection = searcher.Get();
    Console.WriteLine(domain);
    List<DNSRecord> records = new List<DNSRecord>();
    foreach (ManagementObject p in collection) //Fails HERE
    This is the error I'm getting

    Generic failure 

     at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

    <INSTANCE CLASSNAME="__ExtendedStatus">
    <QUALIFIER NAME="abstract" PROPAGATED="true" TYPE="boolean" OVERRIDABLE="false" TOINSTANCE="true">
    <VALUE>TRUE</VALUE>
    </QUALIFIER>
    <PROPERTY NAME="__PATH" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY NAME="__NAMESPACE" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY NAME="__SERVER" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY.ARRAY NAME="__DERIVATION" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE.ARRAY>
    <VALUE>__NotifyStatus</VALUE>
    </VALUE.ARRAY>
    </PROPERTY.ARRAY>
    <PROPERTY NAME="__PROPERTY_COUNT" CLASSORIGIN="___SYSTEM" TYPE="sint32">
    <VALUE>5</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__RELPATH" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY NAME="__DYNASTY" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE>__NotifyStatus</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__SUPERCLASS" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE>__NotifyStatus</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__CLASS" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE>__ExtendedStatus</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__GENUS" CLASSORIGIN="___SYSTEM" TYPE="sint32">
    <VALUE>2</VALUE>
    </PROPERTY>
    <PROPERTY NAME="Description" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>ERROR_ACCESS_DENIED</VALUE>
    </PROPERTY>
    <PROPERTY NAME="Operation" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>ExecQuery</VALUE>
    </PROPERTY>
    <PROPERTY NAME="ParameterInfo" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>SELECT * FROM MicrosoftDNS_ResourceRecord WHERE DomainName='paretoplatform.com'</VALUE>
    </PROPERTY>
    <PROPERTY NAME="ProviderName" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>WinMgmt</VALUE>
    </PROPERTY>
    <PROPERTY NAME="StatusCode" CLASSORIGIN="__NotifyStatus" PROPAGATED="true" TYPE="uint32">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>uint32</VALUE>
    </QUALIFIER>
    </PROPERTY>
    </INSTANCE>
    I've tried in WMI security settings -> MicrosoftDNS that BOTH the app pool user and the executing user have all permissions as well as both administrators on the machine.

    I get the same error if I run the code as a standalone app as the application pool identity. If I run in an elevated context, everything works great. 

    Note: This exact same code works fine on another dns server (the domain controller actually), and as far as I can tell I've set up the permissions exactly the same in both places.

    Any suggestions?

    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, May 8, 2012 2:42 PM

Answers

  • Th eissue is that you cannot do this form a web service unless the DNS server is on the same machine and the service is impersonating the user and the user is an admin on the DNS service. (DNS Admins).  Setting this u p is a bit tricky if you have never done it before.

    The code you haqve posted in anot an admin script. It appears to be C#.  This is a scripting forum and, as such, is not equipped to handle your issues.

    Please take this to the IIS Developers forum as they will be more helpful.

    http://forums.iis.net/

    http://forums.asp.net/


    ¯\_(ツ)_/¯

    • Marked as answer by Bill_Stewart Tuesday, May 8, 2012 3:39 PM
    Tuesday, May 8, 2012 3:30 PM

All replies

  • Th eissue is that you cannot do this form a web service unless the DNS server is on the same machine and the service is impersonating the user and the user is an admin on the DNS service. (DNS Admins).  Setting this u p is a bit tricky if you have never done it before.

    The code you haqve posted in anot an admin script. It appears to be C#.  This is a scripting forum and, as such, is not equipped to handle your issues.

    Please take this to the IIS Developers forum as they will be more helpful.

    http://forums.iis.net/

    http://forums.asp.net/


    ¯\_(ツ)_/¯

    • Marked as answer by Bill_Stewart Tuesday, May 8, 2012 3:39 PM
    Tuesday, May 8, 2012 3:30 PM
  • I get the same error when its scripted in vb.

    The DNS server is on the same machine and the service. The commands are being executed under one of two users (I can't seem to figure out which one specifically). 

    WindowsIdentity: PARETOPLATFORM\CRM5APPSERVICE
    Thread Principal: PARETOPLATFORM\pcristini

    The machine's Administrator's group:

    DCOM User's group:

    WMI > MicrosoftDNS > Security (both users have everything but the Read/Edit Security)

    Component Services > Windows Management Instrumentation > Security > Access Permissions > Customize 

    As far as I can tell these are all the permissions required.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, May 8, 2012 3:47 PM
  • Hi,

    Since you have a permissions problem of some type, that's a permissions question rather than a scripting question. Sorry that your problem is outside the specific scope of this forum.

    Bill

    Tuesday, May 8, 2012 3:52 PM
  • The issue is that you cannot do what you are trying to do from a web server without changing the way the web server operates. 

    I posted the links to the IIS and ASP.NET forums where you will get the information you are looking for. 

    This is NOT a scripting issue.

    The issue is not with DCOM but with how a IIS server has to delegate teh request.  The app pool and the web siter must be set up correctly to make this work safely.  Once set up than any scripting or compiled language will work.


    ¯\_(ツ)_/¯

    Tuesday, May 8, 2012 3:58 PM