I have an IIS 7.5 web site running "classic" ASP code (not ASP.NET) where the site is running under the normal service context, and only "Windows Authentication" is enabled. Users and navigate the site without any problem, regardless of having implicit admin rights on the IIS host or not (most do not). However, when I try to execute a common Win32_PingStatus request within the ASP code, it fails unless the user has admin rights on the IIS host. Here's my code…
On Error Resume Next
asset = "Computer123"
pingtest = False
query = "Select StatusCode, Address FROM Win32_PingStatus " & _
"WHERE Address=" & Chr(34) & asset & Chr(34)
Set colPingStatus = GetObject("winmgmts:" &_
"{impersonationLevel=impersonate}//./root/cimv2").ExecQuery(query)
If err.Number <> 0 Then
Response.Write "Access Denied (error: " & err.Number & " / " & err.Description & ")"
Response.End
End If
For Each objItem In colPingStatus
If objItem.StatusCode = 0 Then
pingtest = True
End If
Next
If pingtest = False Then
Response.Write asset & " is OFFLINE"
Else
Response.Write asset & " is ONLINE"
End If
I've been trying to get my head around SWBEM and WMI impersonation capabilities, but I'm still confused as to whether it's even possible (supported or unsupported) to do this regardless of the user/browser session context. Every user is a Domain account, no anonymous users are able to access the site, so it seems (and I could be wrong) to be related to their group memberships and permissions on the IIS host.
Best Answer
First is the trust level of your web site in IIS. Go into IIS and make sure it's set to full so your site can access internal server resources.
Next would be to double check that the users accessing the site are actually being authenticated and not running the code anonymously. Just to be sure check that anonymous authentication is disabled in iis and your site is forcing users to authenticate (disable ntlm automatic logon in your browser or write a user identification piece into your app to be doubly sure authentication is occuring).
Next would be to check wmi permissions for the type of users who are accessing your site. You can use wmimgmt.msc to open up the wmi security settings for your server. You can test out your wmi permissions by logging into your server with a regular user and try to execute wmi commands (you can use either powershell's get-wmiobject, wbemtest.exe or vbscript).