I have been trying to make MySQL Workbench's Remote Server Administration to work with my WMI service installed on a Windows 2008 R2 server.
I would like to know if the following syntax is correct and sufficient in order to check if WMI access has been enabled on the server.
wmic /node:myserver.com /user:wmi_user /password:123456 systemenclosure get serialnumber
I have tried the above command from my home laptop however it gives "The RPC server is unavailable" error.
What I have done so far on the server:
User Account with WMI Rights
Created a separate user account for WMI access(user: wmi_user and it is a member of administrator group).
Enabled WMI traffic on the firewall using the following command:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
netsh firewall set service RemoteAdmin enable
CIMOM settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback change the value from 0 to 1.
UAC settings
I have adjusted the UAC for wmi_user to never notify.
DCOM settings
I've read on one article which mentions if the user is in the administrator group, there is no need to change this setting.
Please let me know if there's anything else I missed out. Thank you.
Related
I'm trying to install Qlik Sense Desktop on Windows Server 2012 R2. The problem I believe is with the name entered as hostname during installation.
I tried using the hostname during installation process as the name of the server machine as well as the the ip address of the windows server but I get below error message whenever I try loading the Qlik sense hub app after installation
This site can’t be reached
If you're logged into the server, try https://localhost/qmc rather than the hostname. That should always work unless the services have failed to start up or something.
If you can get in there, then you can amend the accepted hostnames in the Virtual Proxy settings in the "Host Allow List" section.
If you can't get in there, it's possible it's trying to use the hostname you entered to connect between services - your best bet is to do a full uninstall and re-install - and probably keep the default hostname it proposes as this should always work and you can add additional hostnames at a later date.
Are the services up and running ? Have you see if one of the ports used by QlikSense are available or were used by other application ?
I have a test server that I can ping successfully although I'm not able to see a hello world test page I've created and mapped in IIS. I've also created an Inbound rule in the windows firewall. Is there something else I'm missing? I'm browsing http://x.x.x.x:888
Any advice greatly appreciated.
Many thanks,
Update
This is a AWS server
Have tried telnet from a client machine but I get Operation timed out
Nothing in IIS logs (C:\inetpub\logs\LogFiles\xxx)
Port 888 is what I assign the test website to in IIS
Have also moved the test file (index.htm) into the default website within IIS and tried browsing http://x.x.x.x:80/index.htm but I get This site can’t be reached
browsing http://localhost on the server displays the 'hello' message test page.
In windows explorer I've gone to the security settings by right clicking on the website folder and allowing 'everyone' read access
Firewall screen shot
Important update
the IP http://x.x.x.x:888 is the public IP within AWS for the server, not the interal IP of that actual server
On windows 10, I found a firewall issue for my testing server, this worked for me: go to Windows Firewall -> Advanced Settings -> Windows Firewall properties and set a public profile to allow incoming connections.
I'm using OpenOPC library to connect to OPC servers. I can successfully write and read from my local Matrikon OPC server but when I try and read from another machine (different host) then I get the error Pyro.errors.ProtocolError: connection failed
My code for connection is here;
import OpenOPC
class OPC_tag_reader:
opc = OpenOPC.open_client('<remote host>')
#breaks here!!!!
def __init__(self):
print 'connecting to server'
self.opc.connect('Matrikon.OPC.Simulation.1', '<remote host')
The code does not get to the constructor.
Thanks!
OPC uses DCOM for communicating you need to perform the following steps to solve this issue.
Run the DCOM configuration utility by selecting Run from your Windows Start menu and type dcomcnfg.exe click on OK.
2.Expand Component Services, Computers and RightClick on the MyComputer and select Properties
Select the Tab Default Properties and Check the “Enable Distributed COM on this Computer”. The Default Authentication level should be Connect and the Default Impersonation level should be Identify. NOTE: Provide additional security for reference tracking should be unchecked.
Now select the COM Security Tab and under the Access Permissions section click on the Edit Defaults Button, Click on the Add… Button and add the user name (The newly created user name that is exactly same as that of user name on the server). After adding the New user select it and in the box below check the boxes to enable (Allow) Both Local Access and Remote Access.
For initial test purposes include Everyone in the Grant Access list.
On the machine where the server is add OpcEnum.exe to the firewall exception list
On the client machine's fire wall allow port 135 incoming coneciton
Note: For initial testing disable the firewall on both the server and the client .. :)
Note down the user ID and password of the windows user account under which the opc server is running and create the same user name and account on the remote machine (This is to establish trust between the two computers)
I have a web service running under IIS7 on a server with a host header set so that it receives requests made to http://myserver1.mydomain.com.
I've set Windows INtegrated Authentication to Enabled and everything else (basic, anonymous, etc) to Disabled.
I'm testing the web service using a powershell script, and it works fine when I run it from my workstation against http://myserver1.mydomain.com
However, when I run the same exact script on the IIS server itself, I get a 401-Unauthorized message.
In addition, I've tried installing the web service on a second server, myserver2.mydomain.com. Again I can call my test script fine from BOTH my workstation and from myserver1.
So it seems the only issue is when the client is on the same box as the web server itself - somehow the windows credentials are not being passed or recognized.
I tried playing with IE settings on myserver1 (checked and unchecked 'Enable Windows Integrated Authentication', and added the URL to Local Sites). That did not seem to have an effect.
When I look at the IIS logs, I see the 401 unauthorized line but very little other information.
I see basically the same behavior when testing with IE (v9) - works from my workstation but not when IE is running on the IIS server.
I found the answer after several hours:
By default, there is something called a LoopbackCheck which will reject windows authentication if the host header used for the site does not match the local host's name. This behavior will only be seen when the client is on the local host. The check is there to defeat possible reflection attacks.
More details here:
http://support.microsoft.com/kb/896861
The kb item discusses ways to disable the Loopback check, but I ended up just switching from using host headers to ports to distinguish the different sites on the IIS server.
Thanks to those who gave assistance.
Try checking the actual credential that is being passed when you are running on the server itself. Often times you will be running on some system account that doesn't have access to the resource in question.
For example, on your box your credentials are running as...
MYDOMAIN\MYNAME
and the server will be something like...
SYSTEM\SYSTEM_ACCOUNT
and so this will fail because 'SYSTEM\SYSTEM_ACCOUNT' doesn't have credentials.
If this is the case, you can fix the problem in one of two ways.
Give 'SYSTEM\SYSTEM_ACCOUNT' access to the resource in question. Most people would avoid this strategy due to security concerns (which is why the account has no access in the first place).
Impersonate, or change the credentials of the client manually to something that does have access to the resource, 'MYDOMAIN\MYNAME' for example. This is what most people would probably go with, including myself.
I'm trying to run a custom WinHTTP based web-server on Windows Server 2008 machine.
I pass "http://*:22222/" to HttpAddUrl
When I start my executable as Administrator or LocalSystem everything works fine. However if I try to run it as NetworkService to minimize security risks (since there are no legitimate reasons for the app to use admin rights) function fails with "Access Denied" error code.
I wasn't aware of NetworkService having any restrictions on which ports and interfaces it can listen on.
Is there a way to configure permissions in such a way so that I actually can run the app under NetworkService account and connect to it from other internet hosts?
You must be an administrator to add URLs to the http.sys URL mappings. Network Service does is not a member of the admin group, but the admnistrator's group and the System account are members.
IIS gets around this by having one process, inetinfo.exe, that runs as SYSTEM and sets up the URL mappings for worker processes (w3wp.exe) that run as Network Service.
Hope that clarifies tings.