By default, calls to the Windows Management Instrumentation (WMI) Provider use the default Windows authentication setting. Although this setting allows only authorized users to use the WMI provider, calls that are sent on the network are not encrypted. If you are calling into WMI remotely, this means the data that is sent between your client and the FIM Synchronization Service server is in cleartext on the network. To protect the data, encrypt any data that is sent on the network by setting the authentication level in the WMI provider call.
You can set the authentication level by using the optional security settings component of the WMI moniker with the appropriate WbemAuthenticationLevelEnum enumeration constant.
 Note: |
|---|
| Setting the authentication level is a request rather than a command; the server might not honor the request. |
The WbemAuthenticationLevelEnum enumeration constants determine the authentication level of the service object. To authenticate all previous impersonation levels and sign and encrypt each data packet, use the WbemAuthenticationLevelPktPrivacy constant.
This topic contains examples that enable security in scripts.
Enabling Security on a Local System
The following Visual Basic Scripting Edition (VBScript) example shows how to create a service object with the recommended authentication level on a local server.
| Visual Basic Script |  Copy Code |
|---|---|
Option Explicit
Const PktPrivacy = 6
Dim Service
Set Service = GetObject("winmgmts:{authenticationLevel=PktPrivacy}!root\MicrosoftIdentityIntegrationServer)
'* Start your script here.
|
|
Enabling Security on a Remote System Using the Current User Credentials
The following VBScript example shows how to create a service object with the recommended authentication level on a remote server. The script uses the credentials of the current user. Replace MyServer with the name of the remote server.
| Visual Basic Script | Copy Code |
|---|---|
Option Explicit
Const WbemAuthenticationLevelPktPrivacy = 6
Dim Locator
Dim Service
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy
Set Service = Locator.ConnectServer("MyServer", "root\MicrosoftIdentityIntegrationServer")
'* Start your script here.
|
|
Enabling Security on a Remote System Using Alternative Credentials
The following VBScript example shows how to create a service object with the recommended authentication level on a remote server. The script uses the alternative credentials of the current user.
| Visual Basic Script | Copy Code |
|---|---|
Option Explicit
Const WbemAuthenticationLevelPktPrivacy = 6
Dim Locator
Dim Service
Set Locator = CreateObject("WbemScripting.SWbemLocator")
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy
Set Service = Locator.ConnectServer("MyServer", "root\MicrosoftIdentityIntegrationServer", "Domain\Me", "MyPassword")
'* Start your script here.
|
|
Replace the following placeholder terms with the specified information:
- MyServer with the name of the remote
server.
- Domain\Me with the name of the
alternative user.
- MyPassword with the password of the
alternative user.
Because this script contains a user name and password, store the script in a secure folder that has the same security level as the Forefront Identity Manager Synchronization Service (FIM Synchronization Service) folder. Limit access to this folder.
Security Note: |
|---|
We do not recommend storing user credentials in a script. If
you need to run a script under a different user context, in most
cases you should use the runas command to run the
script. For more information, see How to: Create Scripts
to Run Management Agents. |
See Also
Reference
WbemAuthenticationLevelEnumConcepts
Creating ScriptsHow to: Connect to the WMI Service
How to: Create Scripts to Run Management Agents
Other Resources
Setting Client Application Process SecuritySetting the Default Process Security Level Using VBScript
Connecting to WMI on a Remote Computer