Connecting to a 3rd Computer-Delegation

Connecting to a 3rd Computer-Delegation

When you run a script on Computer A that obtains data from Computer B, WMI is supplying your credentials to the provider of the data on Computer B. This requires only an impersonation level of Impersonate because only one network hop is required. However, if the script connects to WMI on Computer B and attempts to open a log file on Computer C, then the script fails unless the impersonation level is Delegate. Delegate impersonation level is required by any operation that involves more than one network hop. For more information about DCOM security in WMI, see Setting Client Application Process Security. For more information about a one-network hop connection between two computers, see Connecting to WMI on a Remote Computer.

Source Computer A connects to Computer B, which requests data from Computer C

The following procedure describes how to connect a computer to other computers.

Aa389288.wedge(en-us,VS.85).gifTo connect a computer to other computers

  1. Enable delegation in Active Directory (Active Directory Users and Computers in Control Panel Administrative Tasks) on the domain controller. The account on Computer B must be marked as Trusted for delegation and the account on Computer A must not be marked as Account is sensitive and cannot be delegated. Computer A, Computer B, and the domain controller must be members of the same domain or in trusted domains.

    Note  Using delegation is a security risk because it gives processes outside of your direct control the ability to use your credentials.

  2. Set the impersonation level parameter to RPC_C_IMP_LEVEL_DELEGATE in the call to CoInitializeSecurity or CoSetProxyBlanket in C++. For more information about when to make these calls, see Initializing COM for a WMI Application. In scripting, set the impersonationLevel parameter to Delegate in the call to SWbemLocator.ConnectServer or Delegatein the moniker string. You can also set the impersonation in a SWbemSecurityobject.
  3. To pass the client identity to remote COM servers in C++, set cloaking in the call to CoSetProxyBlanket. For more information, see Cloaking.

The following code example shows a moniker string that sets the impersonation to Delegate. Be aware that the authority must be set to Kerberos.

set objWMIServices = Getobject("winmgmts: _
    {impersonationLevel=Delegate, _

The following code example shows how to set impersonation to Delegate (a value of 4) using SWbemLocator.ConnectServer.

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objLocator.ConnectServer(Computer_B, _
    "root\cimv2", AdminAccount, MyPassword, _
objWMIService.Security_.ImpersonationLevel = 4

Related topics

Connecting Between Different Operating Systems
Securing a Remote WMI Connection
Connecting Through Windows Firewall
Creating Processes Remotely



© 2016 Microsoft