Specifying the Server Principal Name

The Kerberos authentication service specifies the server principal name to ensure the identity of the computer to which it is connecting. Specify the server principal name in the call to the scripting method SWbemLocator.ConnectServer by giving the name of the remote computer. In C++, specify the server principal name in the pServerPrincName parameter when calling CoSetProxyBlanket for the proxy. For more information, see Connecting to WMI on a Remote Computer.

This parameter is required for Kerberos to support mutual authentication. However, using the default server principal name does not allow mutual authentication. Clients for which mutual authentication is critical, must specify a server principal name that matches the server identity that the WMI service is using. For more information about setting proxy security and a C++ example showing how to set the server principal name, see Setting the Security on IWbemServices and Other Proxies.

For more information about setting the server principal name in script and Visual Basic, see SWbemLocator.ConnectServer and Connecting to WMI on a Remote Computer.

Unlike most security protocols for Windows Management Instrumentation (WMI) and Component Object Model (COM), you cannot set the server principal in a call to CoInitializeSecurity. However, you can set the server principal with the bstrAuthority parameter for IWbemLocator::ConnectServer, or the pServerPrincName parameter for CoSetProxyBlanket.

The code example in this topic requires the following #include statement to correctly compile.


#include <wbemidl.h>

The following code example shows how to set the server principal name with ConnectServer.


IWbemServices* g_pNameSpace = NULL;

// Namespace to which to connect
BSTR  bstrNameSpace = 
SysAllocString( L"\\\\MyMachine\\root\default" );

// The bstrAuthority string contains the server
// principal name MyDomain\\MyMachine
// and the authentication service, which is Kerberos.
BSTR  bstrAuthority = 
SysAllocString( L"kerberos:MyDomain\\MyMachine"  );

HRESULT hr = NULL;
IWbemLocator* pWbemLocator = 0;

  hr = pWbemLocator->ConnectServer(
          bstrNameSpace,  // NameSpace name
          NULL,           // User name
          NULL,           // Password
          NULL,           // Locale
          0L,             // Security flags
          bstrAuthority,  // Authority, server principal name
          NULL,           // WBEM context
          &g_pNameSpace   // Namespace
          );

  // Free memory resources.
  g_pNameSpace->Release();
  SysFreeString(bstrNameSpace);
  SysFreeString(bstrAuthority);

Related topics

Setting the Authentication Service Using VBScript
Setting Authentication Using C++
Setting the Security on IWbemServices and Other Proxies

 

 

Show: