Discussion:
WMI Security Specific Error
(too old to reply)
c***@gmail.com
2007-08-02 20:10:23 UTC
Permalink
Hello everyone, I've been looking around, and the most common cause of
this error seems to be the use of kerberos, but I'm using it through
the auth parameter and so I don't know!

Here's the scenario:
We have multiple computers on a domain. I'm sitting at one, and I'd
like to trigger a remote install of an MSI file on the domain server.
I enabled my account (the one I'm using to call the procedure) as
trusted for delegation on the domain server, and it's part of the
domain administrators group.

If I run the command:
wmic /node:<computer> /trace:on os

I have success. (running context indicated PKTPRIVACY is selected)


If I run the command:
wmic /node:<computer> /implevel:delegate /authority:"kerberos:<domain>
\<computer>" /trace:on os

I get this as part of the relevant output:
SUCCESS: IWbemLocator::ConnectServer(L"root\cli", NULL, NULL,
L"ms_409", 0L, L"kerberos:<domain>\<computer>", NULL, -)
Line: 145 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp

<snip for brevity>

SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE,
NULL, 6, 4, -, EOAC_NONE)
Line: 2540 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp

<snip again>

FAIL: IWbemServices::ExecQuery(L"WQL", L"SELECT * FROM
Win32_OperatingSystem", 0, NULL, -)
Line: 319 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\execengine.cpp

Node - w105e3
ERROR:
Code = 0x80070721
Description = A security package specific error occurred.
Facility = Win32
<snip stuff creating a DOM>



So, from what you can see, is it still trying to us NTLM? If so, how
do I stop that? I thought giving it the /authority parameter would
make it use keberos
c***@gmail.com
2007-08-02 21:04:47 UTC
Permalink
Post by c***@gmail.com
Hello everyone, I've been looking around, and the most common cause of
this error seems to be the use of kerberos, but I'm using it through
the auth parameter and so I don't know!
We have multiple computers on a domain. I'm sitting at one, and I'd
like to trigger a remote install of an MSI file on the domain server.
I enabled my account (the one I'm using to call the procedure) as
trusted for delegation on the domain server, and it's part of the
domain administrators group.
wmic /node:<computer> /trace:on os
I have success. (running context indicated PKTPRIVACY is selected)
wmic /node:<computer> /implevel:delegate /authority:"kerberos:<domain>
\<computer>" /trace:on os
SUCCESS: IWbemLocator::ConnectServer(L"root\cli", NULL, NULL,
L"ms_409", 0L, L"kerberos:<domain>\<computer>", NULL, -)
Line: 145 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
<snip for brevity>
SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE,
NULL, 6, 4, -, EOAC_NONE)
Line: 2540 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
<snip again>
FAIL: IWbemServices::ExecQuery(L"WQL", L"SELECT * FROM
Win32_OperatingSystem", 0, NULL, -)
Line: 319 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\execengine.cpp
Node - w105e3
Code = 0x80070721
Description = A security package specific error occurred.
Facility = Win32
<snip stuff creating a DOM>
So, from what you can see, is it still trying to us NTLM? If so, how
do I stop that? I thought giving it the /authority parameter would
make it use keberos
I would like to add, that I missed a line in my snip of the Log:

SUCCESS: CoSetProxyBlanket(-,
RPC_C_AUTHN_GSS_KERBEROS,RPC_C_AUTHZ_NONE, <computer>, 6, 4, -,
EOAC_NONE)
Line: 2644 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\execengine.cpp

SUCCESS: CoCreateInstanceEx(CLSID_WbemContext,
NULL,CLSCTX_INPROC_SERVER, 0, 1,
-) Line: 2742 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic
\execengine.cpp

FAIL: IWbemServices::ExecQuery(L"WQL", L"SELECT * FROM
Win32_OperatingSystem", 0
, NULL, -) Line: 319 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic
\execengine.cpp

Node - <computer>
ERROR:
Code = 0x80070721
Description = A security package specific error occurred.
Facility = Win32
c***@gmail.com
2007-08-02 22:48:41 UTC
Permalink
Post by c***@gmail.com
Post by c***@gmail.com
Hello everyone, I've been looking around, and the most common cause of
this error seems to be the use of kerberos, but I'm using it through
the auth parameter and so I don't know!
We have multiple computers on a domain. I'm sitting at one, and I'd
like to trigger a remote install of an MSI file on the domain server.
I enabled my account (the one I'm using to call the procedure) as
trusted for delegation on the domain server, and it's part of the
domain administrators group.
wmic /node:<computer> /trace:on os
I have success. (running context indicated PKTPRIVACY is selected)
wmic /node:<computer> /implevel:delegate /authority:"kerberos:<domain>
\<computer>" /trace:on os
SUCCESS: IWbemLocator::ConnectServer(L"root\cli", NULL, NULL,
L"ms_409", 0L, L"kerberos:<domain>\<computer>", NULL, -)
Line: 145 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
<snip for brevity>
SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE,
NULL, 6, 4, -, EOAC_NONE)
Line: 2540 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
<snip again>
FAIL: IWbemServices::ExecQuery(L"WQL", L"SELECT * FROM
Win32_OperatingSystem", 0, NULL, -)
Line: 319 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\execengine.cpp
Node - w105e3
Code = 0x80070721
Description = A security package specific error occurred.
Facility = Win32
<snip stuff creating a DOM>
So, from what you can see, is it still trying to us NTLM? If so, how
do I stop that? I thought giving it the /authority parameter would
make it use keberos
SUCCESS: CoSetProxyBlanket(-,
RPC_C_AUTHN_GSS_KERBEROS,RPC_C_AUTHZ_NONE, <computer>, 6, 4, -,
EOAC_NONE)
Line: 2644 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic\execengine.cpp
SUCCESS: CoCreateInstanceEx(CLSID_WbemContext,
NULL,CLSCTX_INPROC_SERVER, 0, 1,
-) Line: 2742 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic
\execengine.cpp
FAIL: IWbemServices::ExecQuery(L"WQL", L"SELECT * FROM
Win32_OperatingSystem", 0
, NULL, -) Line: 319 File: d:\xpsprtm\admin\wmi\wbem\tools\wmic
\execengine.cpp
Node - <computer>
Code = 0x80070721
Description = A security package specific error occurred.
Facility = Win32
I have done more investigation, and have found events like this in the
security logs:
Successful Network Logon:
User Name: <computer>$
Domain: SEDER
Logon ID: (0x0,0x299106F4)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {007696c7-f0a5-8064-6864-da9cc5ce2a31}

They are mainly log on, log off type messages, using my username and
indicating it successfully received elevated priviledges.

And these events are in the system log:
The Security System could not establish a secured connection with the
server ldap/<full domain name of the server>/<domain name>@<domain
name>. No authentication protocol was available.

I hope this helps!
S***@gmail.com
2007-08-15 16:17:18 UTC
Permalink
OK, it's nice. I'm trying to remote install too, from UNC path, but
it's impossible set CoSetProxyBlanket correctly.
My code is here:
hres = pLoc->ConnectServer( _bstr_t(server), NULL, NULL, 0,
NULL, _bstr_t("Kerberos:virtual.local\\Kompl"), 0, &pSvc);
hres = CoSetProxyBlanket(
pSvc,
RPC_C_AUTHN_GSS_KERBEROS, // RPC_C_AUTHN_xxx
RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx
L"virtual.local\\KOMPL", // Server
principal name
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,// RPC_C_AUTHN_LEVEL_xxx
RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx
//RPC_C_IMP_LEVEL_DELEGATE,
NULL, //
client identity
EOAC_NONE // proxy
capabilities
);
This settings (RPC_C_IMP_LEVEL_IMPERSONATE) doesn't allow install from
network (error 1619)
and this one (RPC_C_IMP_LEVEL_DELEGATE) ends with error at first
GetObject (ClassName is "Install")
hres = pSvc->GetObject(ClassName, 0, NULL, &pClass, NULL);
(hres ---> security specific error occurred)

Please help me (i'm thinking about suicide:))

Continue reading on narkive:
Loading...