Discovery and WMI with Microsoft Cluster Servers

lavaccaj · ‎10-04-2012

Let me start by stating that I am running Build name: Berlin, Build date: 07-18-2012_1833 and Build tag: glide-berlin-05-06-2012__patch0-hotfix2-07-12-2012.

Anyone aware of the WMI protocol from the Discovery accessing windows clusters via WMI and generating the error "Access to the root\MSCluster namespace was denied because the namespace is marked with RequiresEncryption but the script or application attempted to connect to this namespace with an authentication level below Pkt_Privacy. Change the authentication level to Pkt_Privacy and run the script or application again."

I searched the community and wiki to no avail after finding this article elsewhere via Google: http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/2a97e133-de80-402e... it lead me to believe that the midserver is trying to access the clusters insecurely. (I have copied the response from the last post in this article on the first page below.) I would prefer to not have to lower security on my production SQL clusters due to the midserver scans… do you have any ideas? — should this be a HI ticket?

From the article:
The vendor for the monitoring tool that was causing the errors suggested these steps as a resolution. The solution ended up being the last step, which was to modify the ClusMof.mof file. It appears that there is some Windows issue at work here. It doesn't seem to recognize that the query is encrypted.
>>>>> The Steps
Reregister the cluster wmi provider dll:

• Open a UACed command prompt
• Change the directory to %windir%\System32\Wbem
• Run "RegSvr32 -s ClusWMI.dll"
• Retry the WMI Query using Wbemtest to see if this fixes the error logging issue.

Rebuild the cluster WMI Managed Object File

• Open a UACed command prompt
• Change the directory to %windir%\System32\Wbem
• Run "Mofcomp.exe ClusWMI.mof"
• Retry the WMI Query using Wbemtest to see if this fixes the error logging issue.

Rebuild the WMI Repository

• Open a UACed command prompt
• Run "winmgmt /salvagerepository"
• Retry the WMI Query using Wbemtest to see if this fixes the error logging issue.

Edit the WMI Managed Object File to remove the encryption requirement
• Open a UACed command prompt
• Change the directory to %windir%\System32\Wbem
• Run "notepad"
• Open ClusWMI.mof
• Change [RequiresEncryption] to [RequiresEncryption(FALSE)]
• Run "Mofcomp.exe ClusWMI.mof"
• Retry the WMI Query using Wbemtest to see if this fixes the error logging issue.

lavaccaj · ‎10-08-2012

(I was premature in calling this resolved, this fix appears to break the discovery for WMI queries to gather information correctly. I do not reccomend this fix at this time and have a case opened with SN to investigate the issue)

*******************************************************

The following update to the wmifetch.psm 1 file resolved the issue:

According to this article…

http://msdn.microsoft.com/en-us/library/windows/desktop/aa393266%28v=vs.85%29.aspx#setting_namespace_security_to_require_data_encryption_for_remote_connections

Setting the privacy level they say should be (or PktPrivacy as a moniker in a script)

We are trying as you read below…. packet privacy

$wmiClass = gwmi -namespace $namespace -class $table -computer $computer -credential $cred -impersonation impersonate -authentication packetprivacy -EA "Stop"

So in (/agent/lib/wmifetch.psm1)

Edit everywhere you see packetprivacy to PktPrivacy

$wmiClass = gwmi -namespace $namespace -class $table -computer $computer -credential $cred -impersonation impersonate -authentication PktPrivacy -EA "Stop"

subash_biswas · ‎02-22-2013

Cannot convert value "PktPrivacy" to type "System.Management.AuthenticationLevel" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Default, None, Connect, Call, Packet, PacketIntegrity, PacketPrivacy, Unchanged".

lavaccaj,
I had updated the wmifetch.psm1 to PktPrivacy and kept getting the above warning in input messages. When I reverted back to 'packetprivacy' discovery ran fine.

MIDs Win2K8 64 bit VMs - runs as domain user with local admin
Target Win2K8 64 bit VMs - has the same domain user set up as local admin on it
Do I need to change any other attributes? Please let me know, thanks,
Subash Biswas

lavaccaj · ‎02-22-2013

My case is still open and unresolved in HI - They are aware of this issue and have stated they are working on it but no ETA was provided. Sorry if I cannot provide any further detail. When it is resolved and I will update this post.