Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008.

Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008.

  • Comments 7
  • Likes

Ran into a weird issue where I was getting access denied when trying to query nodes remotely in powershell.  The query was working fine against Windows 2003 cluster names and worked locally when ran on a Windows 2008 cluster node, it just didn’t work remotely.

 

Against 2k3:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k3-01 | Select-Object Name

Name
----
Server-2k3-01
Server-2k3-02

Against 2k8:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01
Get-WmiObject : Access denied
At line:1 char:5
+ gwmi <<<<  -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01

 

I also tried the query outside of powershell to eliminate that form the equation with the same results and it still failed.  So why the difference?  Well looking around on the target, I noticed this event in the event log:

Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          9/5/2008 10:17:52 AM
Event ID:      5605
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-2k8-01
Description:
Access to the root\mscluster namespace was denied because the namespace is marked with RequiresEncryption but the script or application attempted to connect to this namespace with an authentication level below Pkt_Privacy. Change the authentication level to Pkt_Privacy and run the script or application again.

 

Doing a little research I ran across this article explaining the event and what needs to happen to run the query properly:

http://technet.microsoft.com/en-us/library/cc727103.aspx

In VBScript that means adding: authenticationLevel=pktPrivacy to your query.  In Powershell (I’m using 2.0) you just add the authentication switch to get it to work.  Now the query works on downlevel as well as 2k8:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 -Authentication PacketPrivacy | Select-Object Name

Name
----

Server-2k8-01
Server-2k8-02
Server-2k8-03
Server-2k8-04
Server-2k8-05

 

PostScript:

You can do a whole bunch of cool stuff with powershell check it out!  Here’s just a little query to tell me each node and ‘t state:

PS C:\Debuggers> gwmi -q "Select * from MSCluster_Node" -namespace root\mscluster -computername TK5-CLUS-01 -Authentication PacketPrivacy | Select-Object Name,State | Format-Table -au

Name           State
----              -----
tk5-clus-01     0
tk5-clus-02     0
tk5-clus-03     0
tk5-clus-04     1
tk5-clus-05     0
tk5-clus-06     0

Comments
  • PingBack from http://powerscripting.wordpress.com/2008/10/05/episode-44-tobias-weltner-gives-an-inside-look-at-powershell-plus/

  • I get the following error:

    A parameter cannot be found that matches parameter name 'Authentication'

    Which version of powershell are you using?

  • Ah forget it, I just found out they added that parameter in CTP 2.0.

  • what if i can't upgrade to poweshell 2?

    how can i solve with ps 1?

  • The -Authentication was put into v3 to help with this issue.  You cannot use get-wmiobject in POSH v1 to connect to namespaces that require packet privacy.  You'd need to use [wmisearcher] or the .NET framework and then set the authentication in there.  Sorry.  It CAN be done though, just a bit more work.

  • Here's an example of [wmisearcher]:

    [wmisearcher]$wmisearcher = "SELECT * FROM IISApplicationPoolSetting"

    $wmisearcher.scope = "\\Server1\root\MicrosoftIISv2"

    $wmisearcher.scope.options.EnablePrivileges = $true

    $wmisearcher.scope.options.Impersonation = "Impersonate"

    $wmisearcher.scope.options.Authentication = "PacketPrivacy"

    $wmisearcher.scope.options

  • Please follow this link here http://msdn.microsoft.com/en-us/library/aa393618(VS.85).aspx

    WMI authentication have to be changed.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment