WMI 远程安装问题:无法从远程计算机访问安装包
我想在远程计算机上安装 MSI 包。 本地和远程计算机都是名为“adn.lan”的域的成员 我作为参数传递给连接的用户/密码具有对远程计算机的完全访问权限。 当我将 connection.Authority 设置为 "ntdlmdomain:adran.lan" 时,返回参数显示“无效参数”,当我将其保留为null 并使其如前所述,connect() 将成功连接,但当它尝试安装包时,返回参数显示所寻址的包无法访问。
这是我尝试过的代码。
ConnectionOptions connection = new ConnectionOptions();
//connection.Authority = "ntdlmdomain:adn.lan"; // "kerberos:" + domain + @"\" + machine;
connection.Username = username;
connection.Password = password;
//connection.Impersonation = ImpersonationLevel.Identify ;
connection.Authentication = AuthenticationLevel.Packet;
ManagementScope scope = new ManagementScope("\\\\RemoteMachineName\\root\\CIMV2", connection);
scope.Connect();
ManagementPath p = new ManagementPath("Win32_Product");
ManagementClass classInstance = new ManagementClass(scope, p, null);
ManagementBaseObject inParams = classInstance.GetMethodParameters("Install");
inParams["AllUsers"] = true;
inParams["Options"] = string.Empty;
inParams["PackageLocation"] = "\\\\LocalMachineName\\Share\\Prescription.msi";
ManagementBaseObject outParams = classInstance.InvokeMethod("Install", inParams, null);
string retVal = outParams["ReturnValue"].ToString();
当我将 theconnection.Impersonation 设置为 Identity 时,结果将是“访问被拒绝”。
I want to install a MSI package on a remote computer.
The local and remote computer both are members of a domain called "adn.lan"
and the user/password I pass as parameter to connection has full access to remote machine.
When I set connection.Authority to "ntdlmdomain:adran.lan" the return parameter shows the "Invalid parameter" and when I leave it as null and make it as remarked, the connect() would connect successfully but when it try to install package the return parameter shows that the addressed package is inaccessible.
Here is the code I've tried with.
ConnectionOptions connection = new ConnectionOptions();
//connection.Authority = "ntdlmdomain:adn.lan"; // "kerberos:" + domain + @"\" + machine;
connection.Username = username;
connection.Password = password;
//connection.Impersonation = ImpersonationLevel.Identify ;
connection.Authentication = AuthenticationLevel.Packet;
ManagementScope scope = new ManagementScope("\\\\RemoteMachineName\\root\\CIMV2", connection);
scope.Connect();
ManagementPath p = new ManagementPath("Win32_Product");
ManagementClass classInstance = new ManagementClass(scope, p, null);
ManagementBaseObject inParams = classInstance.GetMethodParameters("Install");
inParams["AllUsers"] = true;
inParams["Options"] = string.Empty;
inParams["PackageLocation"] = "\\\\LocalMachineName\\Share\\Prescription.msi";
ManagementBaseObject outParams = classInstance.InvokeMethod("Install", inParams, null);
string retVal = outParams["ReturnValue"].ToString();
When I set theconnection.Impersonation to Identity the result would be "Access denied".
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果我理解您的问题和后续评论,您会发现当包路径位于与目标计算机不同的计算机上时(即 UNC 路径,通常可从目标计算机访问),它将无法工作。但是,当您将包复制到目标计算机并传递目标计算机上的本地路径时,安装就会起作用。
我认为失败的原因是 DCOM 模拟级别的性质。
模拟允许您在目标计算机上使用调用者的凭据,但不能从目标计算机连接到另一台计算机。要使用相同的凭据进行第二个跃点,需要委托级别。 (问题是,这存在安全风险,因此所有指南都说“警告警告警告”,并且默认情况下一切都使其变得困难。)
当您要求目标计算机访问单独网络位置上的安装包时,这是需要凭据的“第二跳”,但模拟意味着您只能在目标计算机上使用您的凭据,而不能从那里传递到远程文件位置。
TechNet 对模拟级别进行了很好的总结,请参阅WMI 安全设置。
ps 为了好玩,您可能会看看是否有一种方法可以在不复制到目标计算机的情况下完成此操作。如果您能找到一种方法以允许匿名访问的方式将安装包文件公开到网络,我想知道是否允许第二个跃点,因为只需要匿名凭据?但不确定。如果你像我一样,可能会进行大量的猜测和测试:)
If I understand your question and followup comment, you found that it would not work when the package path was on a different machine than the target machine (i.e. a UNC path, normally accessible from the target machine). But the installation works when you copy the package to the target machine and pass a local path on the target machine.
I believe the reason for the failure is due to the nature of DCOM impersonation levels.
Impersonate allows you to use the credentials of the caller on the target machine -- but not to connect from the target machine to another machine. To make that second hop using the same credentials requires Delegate level. (Problem is, that has security risks, so all the guidance says "warning warning warning" and everything makes it hard by default.)
When you asked the target machine to access the installation package on a separate network location, that was a "second hop" which would require credentials, but impersonate meant you could only use your credentials on the target machine, not passed from there to the remote file location.
TechNet has a nice summary of the impersonation levels, see Table 6.6 DCOM Impersonation Levels at the top of WMI Security Settings.
p.s. For fun, you might see if there's a way to do it without copying to the target machine. If you could find a way to expose the installation package file to the network in a way that allowed anonymous access, I wonder if that second hop would be allowed since only anonymous credentials were needed? Not sure though. And there might be an awful lot of guessing and testing going on, if you're anything like me : )