Using Microsoft.Web.Administration on a remote machine not in the domain [Answered]RSS

10 replies

Last post Nov 06, 2009 03:16 AM by lonevvolf

  • Using Microsoft.Web.Administration on a remote machine not in the domain

    Oct 30, 2009 08:02 AM|lonevvolf|LINK

    I'm banging my head against a wall, trying to get this to work. I have the following situation: Machine A should run a program which uses Microsoft.Web.Administration to connect to and manage IIS on Machine B. Machine A is in domain A. Machine B is not in a domain. User A exists in domain A. User A exists with the same username and password on Machine B. When I enable Remote Administration on Machine B, and connect through IIS Manager on Machine A, it asks for credentials. I enter them without a domain name, and everything works perfectly. The question is, how can I connect to and manage Machine B from Machine A programmatically? Doesn't the IIS Remote Management also use the Microsoft.Web.Administration? I can't impersonate (as far as I can tell), because Machine B isn't in the domain. I also can't find any way to send credentials when using ServerManager.OpenRemote(); Please help!
  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Oct 30, 2009 01:18 PM|anilr|LINK

    This should just work via the magic of NTLM - I know that I used this when both machineA and machineB are not domain joined and they have local users with identical username/password on them.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 02, 2009 05:15 AM|lonevvolf|LINK

    Sorry if I'm being dense, but can you please explain how to do this?  I've tried using LogonUser(), but it doesn't seem to work.  If that's the correct way, which domain name should I be passing to the function?  Anything special I should be doing?

  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 02, 2009 11:05 AM|lonevvolf|LINK

    From the extensive searching I've done on the topic, it would seem that I need to additionally use CoInitializeSecurity, but I haven't gotten that to work either, yet. No matter what combination of parameters I seem to send to it, the calls to ServerManager always fail. Please help!
  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 03, 2009 04:02 AM|Leo Tang - MSFT|LINK

    Hi,

    Base on the online document, we can only specify the server name when using ServerManager.OpenRemote() method.

    To connect to the remote server, you need to be logged in as/impersonating the local Administrator account with a synchronized password on the remote server.  And you also need to insure the DCOM connectivity because of MWA uses DCOM to connect to the remote configuration system.

    For the detailed information, please check the following article:
    Connecting to IIS 7.0 configuration remotely with Microsoft.Web.Administration
    http://mvolo.com/blogs/serverside/archive/2008/05/26/Accessing-IIS-7.0-configuration-remotely-and-on-server-core.aspx

    Please mark the replies as answers if they help or unmark if not.
    Feedback to us


  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 03, 2009 04:11 AM|lonevvolf|LINK

    The impersonation is exactly what I am struggling with. A simple impersonation doesn't work, as DCOM commands seem to take their identity from the original process, not the impersonation. Can anyone actually post some working code for this? I have not yet been able to find any. Either the code doesn't take into account the required Authentication level for IIS DCOM access, or it has some other problem.
  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 03, 2009 04:14 AM|lonevvolf|LINK

    BTW, here is the code I have tried, which is NOT working:

    bool returnValue = LogonUser(user, userDomain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref _userHandle);

     if (!returnValue) throw new ApplicationException("Could not impersonate user");

    WindowsIdentity newId = new WindowsIdentity(_userHandle);

     _impersonatedUser = newId.Impersonate();

     int retCode = CoInitializeSecurity(IntPtr.Zero, -1, IntPtr.Zero, IntPtr.Zero, RpcAuthnLevel.PktPrivacy, RpcImpLevel.Impersonate, IntPtr.Zero, EoAuthnCap.DynamicCloaking, IntPtr.Zero);

     serverManager = ServerManager.OpenRemote(servername);

    Configuration config = serverManager.GetAdministrationConfiguration();

  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 03, 2009 01:06 PM|anilr|LINK

    You will need to install this qfe - http://support.microsoft.com/kb/970691

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 04, 2009 05:46 AM|lonevvolf|LINK

    anilr

    You will need to install this qfe - http://support.microsoft.com/kb/970691

    Sorry, that's not the error I'm getting. I'm also using IIS 7.5 on both sides, so that hotfix doesn't apply. The error I'm getting is: Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine (machinename) failed due to the following error: 80070005.
  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 06, 2009 02:32 AM|WenJun Zhang - MSFT|LINK

    It's still an access denied error. 

    Make sure you run the code with a local account which exist on both machine with the exactly same username and password. In this case, the NTLM credential can be passed to the remote machine.

    Another approach you can choose is you can write the MWA code into a web service and deploy it to the remote IIS. Then use client code to call the web service to achieve your task.

  • Re: Using Microsoft.Web.Administration on a remote machine not in the domain

    Nov 06, 2009 03:16 AM|lonevvolf|LINK

    Well, I've gotten around the problem, but it wasn't any of the solutions offered here. In order to run the impersonation for DCOM, you do indeed need to use the code as I posted above. The problem seemed to be with the one test call I was making to ServerManger. I was testing with a call to GetApplicationHostConfiguration(), which apparently has different requirements for security. Calling other methods/properties, such as ApplicationPools, worked fine. Another gotcha is to make sure to disable the host process when debugging, or the impersonation calls will fail. In any case, using the code posted earlier, you can access a remote machine with MWA, using a user account that doesn't necessarily exist on the local machine.