3

I want to install a MSI package on a remote computer. The local and remote computer both are members of a domain called "adn.lan" and the user/password I pass as parameter to connection has full access to remote machine. When I set connection.Authority to "ntdlmdomain:adran.lan" the return parameter shows the "Invalid parameter" and when I leave it as null and make it as remarked, the connect() would connect successfully but when it try to install package the return parameter shows that the addressed package is inaccessible.

Here is the code I've tried with.

ConnectionOptions connection = new ConnectionOptions();
//connection.Authority = "ntdlmdomain:adn.lan"; // "kerberos:" + domain + @"\" + machine;
connection.Username = username;
connection.Password = password;
//connection.Impersonation = ImpersonationLevel.Identify ;
connection.Authentication = AuthenticationLevel.Packet;

ManagementScope scope = new ManagementScope("\\\\RemoteMachineName\\root\\CIMV2", connection);
scope.Connect();

ManagementPath p = new ManagementPath("Win32_Product");                
ManagementClass classInstance = new ManagementClass(scope, p, null);
ManagementBaseObject inParams = classInstance.GetMethodParameters("Install");

inParams["AllUsers"] = true; 
inParams["Options"] = string.Empty;
inParams["PackageLocation"] = "\\\\LocalMachineName\\Share\\Prescription.msi";                

ManagementBaseObject outParams = classInstance.InvokeMethod("Install", inParams, null);                

string retVal = outParams["ReturnValue"].ToString();

When I set theconnection.Impersonation to Identity the result would be "Access denied".

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
m-abdi
  • 540
  • 1
  • 7
  • 30
  • By now I decided to copy the MSI package to remote machine then address the file path from local for overcome to the problem but am still interested in to achieve better solution. – m-abdi May 24 '11 at 07:59

1 Answers1

3

If I understand your question and followup comment, you found that it would not work when the package path was on a different machine than the target machine (i.e. a UNC path, normally accessible from the target machine). But the installation works when you copy the package to the target machine and pass a local path on the target machine.

I believe the reason for the failure is due to the nature of DCOM impersonation levels.
Impersonate allows you to use the credentials of the caller on the target machine -- but not to connect from the target machine to another machine. To make that second hop using the same credentials requires Delegate level. (Problem is, that has security risks, so all the guidance says "warning warning warning" and everything makes it hard by default.)
When you asked the target machine to access the installation package on a separate network location, that was a "second hop" which would require credentials, but impersonate meant you could only use your credentials on the target machine, not passed from there to the remote file location.

TechNet has a nice summary of the impersonation levels, see Table 6.6 DCOM Impersonation Levels at the top of WMI Security Settings.

p.s. For fun, you might see if there's a way to do it without copying to the target machine. If you could find a way to expose the installation package file to the network in a way that allowed anonymous access, I wonder if that second hop would be allowed since only anonymous credentials were needed? Not sure though. And there might be an awful lot of guessing and testing going on, if you're anything like me : )

Daryn
  • 4,791
  • 4
  • 39
  • 52