Welcome to TechNet Blogs Sign in | Join | Help

Syndication

News

Locations of visitors to this page These postings are provided "AS IS" without warranty, and confer no rights.
Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008.

Ran into a weird issue where I was getting access denied when trying to query nodes remotely in powershell.  The query was working fine against Windows 2003 cluster names and worked locally when ran on a Windows 2008 cluster node, it just didn’t work remotely.

 

Against 2k3:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k3-01 | Select-Object Name

Name
----
Server-2k3-01
Server-2k3-02

Against 2k8:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01
Get-WmiObject : Access denied
At line:1 char:5
+ gwmi <<<<  -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01

 

I also tried the query outside of powershell to eliminate that form the equation with the same results and it still failed.  So why the difference?  Well looking around on the target, I noticed this event in the event log:

Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          9/5/2008 10:17:52 AM
Event ID:      5605
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-2k8-01
Description:
Access to the root\mscluster namespace was denied because the namespace is marked with RequiresEncryption but the script or application attempted to connect to this namespace with an authentication level below Pkt_Privacy. Change the authentication level to Pkt_Privacy and run the script or application again.

 

Doing a little research I ran across this article explaining the event and what needs to happen to run the query properly:

http://technet.microsoft.com/en-us/library/cc727103.aspx

In VBScript that means adding: authenticationLevel=pktPrivacy to your query.  In Powershell (I’m using 2.0) you just add the authentication switch to get it to work.  Now the query works on downlevel as well as 2k8:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 -Authentication PacketPrivacy | Select-Object Name

Name
----

Server-2k8-01
Server-2k8-02
Server-2k8-03
Server-2k8-04
Server-2k8-05

 

PostScript:

You can do a whole bunch of cool stuff with powershell check it out!  Here’s just a little query to tell me each node and ‘t state:

PS C:\Debuggers> gwmi -q "Select * from MSCluster_Node" -namespace root\mscluster -computername TK5-CLUS-01 -Authentication PacketPrivacy | Select-Object Name,State | Format-Table -au

Name           State
----              -----
tk5-clus-01     0
tk5-clus-02     0
tk5-clus-03     0
tk5-clus-04     1
tk5-clus-05     0
tk5-clus-06     0

Published Monday, September 08, 2008 7:00 PM by Brad Rutkowski

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Episode 44 - Tobias Weltner gives an inside look at PowerShell Plus &laquo; PowerScripting Podcast @ Sunday, October 05, 2008 10:15 PM

PingBack from http://powerscripting.wordpress.com/2008/10/05/episode-44-tobias-weltner-gives-an-inside-look-at-powershell-plus/

Episode 44 - Tobias Weltner gives an inside look at PowerShell Plus &laquo; PowerScripting Podcast

# re: Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008. @ Thursday, December 04, 2008 8:55 AM

I get the following error:

A parameter cannot be found that matches parameter name 'Authentication'

Which version of powershell are you using?

Chris Haines

# re: Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008. @ Thursday, December 04, 2008 9:04 AM

Ah forget it, I just found out they added that parameter in CTP 2.0.

Chris Haines

# re: Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008. @ Thursday, December 11, 2008 10:34 AM

what if i can't upgrade to poweshell 2?

how can i solve with ps 1?

ale

# re: Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008. @ Saturday, December 13, 2008 7:18 PM

The -Authentication was put into v3 to help with this issue.  You cannot use get-wmiobject in POSH v1 to connect to namespaces that require packet privacy.  You'd need to use [wmisearcher] or the .NET framework and then set the authentication in there.  Sorry.  It CAN be done though, just a bit more work.

Brad Rutkowski

# re: Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008. @ Saturday, December 13, 2008 7:23 PM

Here's an example of [wmisearcher]:

[wmisearcher]$wmisearcher = "SELECT * FROM IISApplicationPoolSetting"

$wmisearcher.scope = "\\Server1\root\MicrosoftIISv2"

$wmisearcher.scope.options.EnablePrivileges = $true

$wmisearcher.scope.options.Impersonation = "Impersonate"

$wmisearcher.scope.options.Authentication = "PacketPrivacy"

$wmisearcher.scope.options

Brad Rutkowski

# re: Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008. @ Tuesday, August 18, 2009 1:32 AM

Please follow this link here http://msdn.microsoft.com/en-us/library/aa393618(VS.85).aspx

WMI authentication have to be changed.

Somdev Mondal

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
Page view tracker