Connecting to a 3rd Computer-Delegation
When you run a script on Computer A that obtains data from Computer B, WMI is supplying your credentials to the provider of the data on Computer B. This requires only an impersonation level of Impersonate because only one network hop is required. However, if the script connects to WMI on Computer B and attempts to open a log file on Computer C, then the script fails unless the impersonation level is Delegate. Delegate impersonation level is required by any operation that involves more than one network hop. For more information about DCOM security in WMI, see Setting Client Application Process Security. For more information about a one-network hop connection between two computers, see Connecting to WMI on a Remote Computer.
The following procedure describes how to connect a computer to other computers.
To connect a computer to other computers
- Enable delegation in Active Directory (Active Directory Users and Computers in
Control Panel Administrative Tasks) on the domain controller. The account on Computer B must be
marked as Trusted for delegation and the account on Computer A must not be marked as
Account is sensitive and cannot be delegated. Computer A, Computer B, and the domain
controller must be members of the same domain or in trusted domains.
Note Using delegation is a security risk because it gives processes outside of your direct control the ability to use your credentials.
- Set the impersonation level parameter to RPC_C_IMP_LEVEL_DELEGATE in the call to CoInitializeSecurity or CoSetProxyBlanket in C++. For more information about when to make these calls, see Initializing COM for a WMI Application. In scripting, set the impersonationLevel parameter to Delegate in the call to SWbemLocator.ConnectServer or Delegatein the moniker string. You can also set the impersonation in a SWbemSecurityobject.
- To pass the client identity to remote COM servers in C++, set cloaking in the call to CoSetProxyBlanket. For more information, see Cloaking.
The following code example shows a moniker string that sets the impersonation to Delegate. Be aware that the authority must be set to Kerberos.
set objWMIServices = Getobject("winmgmts: _ {impersonationLevel=Delegate, _ authority=kerberos:MyDomain\Computer_B}!\\ComputerB\root\cimv2")
The following code example shows how to set impersonation to Delegate (a value of 4) using SWbemLocator.ConnectServer.
Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objWMIService = objLocator.ConnectServer(Computer_B, _ "root\cimv2", AdminAccount, MyPassword, _ "kerberos:Domain\Computer_B") objWMIService.Security_.ImpersonationLevel = 4
Related topics
- Connecting Between Different Operating Systems
- Securing a Remote WMI Connection
- Connecting Through Windows Firewall
- Creating Processes Remotely
Send comments about this topic to Microsoft
Build date: 11/19/2012
