Last post Apr 18, 2017 12:13 AM by MichaelB_Oz
Apr 11, 2017 12:34 AM|MichaelB_Oz|LINK
I am new to ASP.Net programming, so I apologise in advance for any incorrect use of terminology.
I am currently developing an application (written in vb.net) to assist authorized users manage DHCP servers in our organisation. The application does this be calling powershell scripts to query and configure the DHCP servers.
The configuration of our environment is:
- IIS 8.5 running on Windows Server 2012r2
- Windows Authentication
- Application Pool is running as a domain account in Integrated Pipeline mode. The domain account has been configured for constrained delegation to the DHCP servers.
- The application pool identity and site users have been given "full control" to the application and scripts directories for testing.
- the authenticated user is impersonated programmatically before calling the powershell script using the following code:
Dim winID As System.Security.Principal.WindowsIdentity = CType(HttpContext.Current.User.Identity, System.Security.Principal.WindowsIdentity)
Dim ctx As System.Security.Principal.WindowsImpersonationContext = Nothing
ctx = winID.Impersonate()
Dim rs As Runspace = RunspaceFactory.CreateRunspace()
Dim rsPipeline As Pipeline = rs.CreatePipeline()
objResults = rsPipeline.Invoke()
Everything is working as expected BUT only if the user is a member of the "Administrators" group on the IIS server. If they are not a member of the local administrators then the following exception is thrown when they click on the button that calls the
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Management.Infrastructure.CimException: Access denied
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[CimException: Access denied ]
System.Linq.Enumerable.SingleOrDefault(IEnumerable`1 source) +121
Microsoft.Management.Infrastructure.CimSession.TestConnection(CimInstance& instance, CimException& exception) +184
[CimJobException: Cannot connect to CIM server. Access denied ]
System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord) +7810839
[CmdletInvocationException: Cannot connect to CIM server. Access denied ]
System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) +14654780
The powershell script being run is a simple one line script:
Get-DhcpServerv4Scope -ComputerName servername.mydomain
If a user logs in to the IIS server they can run the script without any problems. While logged in to the server if they open a browser and enter the URL "http://localhost/sitename" the site and scripts function as expected. However if they enter the URL
"http://fqdn_of_server/sitename" the above error is displayed.
I am thinking this is most likely an IIS configuration issue, but any suggestions or advice would be appreciated.
Apr 11, 2017 01:07 PM|jierong|LINK
For "Access denied" issue, I think you can try to use the powerful and easy-to-use tool called
to do troubleshooting.
You can refer to the following article for the basic intro.
And following is the general troubleshooting way to solve Access Denied issue:
Hope above links are helpful to help you solve the issue and let us know if further help is needed.
Apr 18, 2017 12:13 AM|MichaelB_Oz|LINK
Thank you for your response. I have used process monitor as suggested, but was unable to find any "Access Denied" messages.
I have since modified the powershell script to output some debugging information to a log file, and this shows the access denied message is generated when the Get-DHCPv4Scope cmdlet is called:
Get-DhcpServerv4Scope : Cannot connect to CIM server. Access denied
At line:16 char:1
+ Get-DhcpServerv4Scope -ComputerName $server_name
+ CategoryInfo : ResourceUnavailable: (PS_DhcpServerv4Scope:String) [Get-DhcpServerv4Scope],
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-DhcpServerv4Scope
I am not sure why this should be the case? .....and why adding the user to the administrators group on the server resolves this problem?
Any thoughts/suggestions would be appreciated.