MS-DHCP permission denied

Support
1

Hi All,

If you run a foreman proxy accessing Microsoft's DHCP, what sort of user
account do you run the service as?

Do I need to run the ms-dhcp proxy on the DHCP server? The documentation
seems to indicate I don't, but my current installation doesn't seem to have
permission to access the external DHCP server.

c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp server
172.16.1.2 show scope

If I run that command in a normal user shell I get a message about elevated
privileges being required. If I run that command in an administrator
shell, I get "Access Denied".

Does anyone have any insight to this? If I run the proxy on a separate
windows host, does the DHCP server need to trust the remote proxy host's
local admin or localsystem account?

Thanks

··· From my proxy.log the command being run is:
2

I'm getting a little further - I did indeed need a domain account that had
access to change DHCP settings.

I added a line to native_ms.rb to show the response I was getting:

logger.debug "response: #{response}"

which now gives me:

executing: c:\windows\system32\cmd.exe /c c:\windows\system32\netsh.exe -c
dhcp server 172.16.1.2 show scope
response: ["The following command was not found: server 172.16.1.2 show
scope"]

So it looks like somehow the dhcp part isn't recognizing the "server
172.16.1.2" portion.

Which is weird because from the same shell (elevated admin privileges,
running as my domain user) I can run that command just fine.

I'll dig further into what is going on.

··· On Sunday, September 28, 2014 1:37:36 PM UTC-4, Anthony Clark wrote: > > Hi All, > > If you run a foreman proxy accessing Microsoft's DHCP, what sort of user > account do you run the service as? > > Do I need to run the ms-dhcp proxy on the DHCP server? The documentation > seems to indicate I don't, but my current installation doesn't seem to have > permission to access the external DHCP server. > > From my proxy.log the command being run is: > > c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp > server 172.16.1.2 show scope > > If I run that command in a normal user shell I get a message about > elevated privileges being required. If I run that command in an > administrator shell, I get "Access Denied". > > Does anyone have any insight to this? If I run the proxy on a separate > windows host, does the DHCP server need to trust the remote proxy host's > local admin or localsystem account? > > Thanks >
3

Hi,

You have to run MS-DHCP smart proxy under a AD domain account which is
member of DHCP Administrators group (true for Windows 2008 R2 and I
belive for 2012)

I use runas.exe command to start proxy process - I do not run it as a
Windows service. It works fine however.

runas /user:DOMAIN\svcForemanProxy /savecred "C:\Ruby187\bin\ruby.exe
C:\ForemanProxy160\bin\smart-proxy"

Evgeny

··· On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote: > > Hi All, > > If you run a foreman proxy accessing Microsoft's DHCP, what sort of user > account do you run the service as? > > Do I need to run the ms-dhcp proxy on the DHCP server? The documentation > seems to indicate I don't, but my current installation doesn't seem to have > permission to access the external DHCP server. > > From my proxy.log the command being run is: > > c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp > server 172.16.1.2 show scope > > If I run that command in a normal user shell I get a message about > elevated privileges being required. If I run that command in an > administrator shell, I get "Access Denied". > > Does anyone have any insight to this? If I run the proxy on a separate > windows host, does the DHCP server need to trust the remote proxy host's > local admin or localsystem account? > > Thanks >
4

Hi Anthony,

You have to install "DHCP Support Tools" - by default Windows netsh.exe
does not have "server" option.
See the links below how to do that.

  1. GUI way
    http://casualit.wordpress.com/2012/11/17/where-are-the-server-2008-support-tools/

  2. CLI way - http://technet.microsoft.com/en-us/library/cc731774.aspx

Evgeny

··· On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote: > > Hi All, > > If you run a foreman proxy accessing Microsoft's DHCP, what sort of user > account do you run the service as? > > Do I need to run the ms-dhcp proxy on the DHCP server? The documentation > seems to indicate I don't, but my current installation doesn't seem to have > permission to access the external DHCP server. > > From my proxy.log the command being run is: > > c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp > server 172.16.1.2 show scope > > If I run that command in a normal user shell I get a message about > elevated privileges being required. If I run that command in an > administrator shell, I get "Access Denied". > > Does anyone have any insight to this? If I run the proxy on a separate > windows host, does the DHCP server need to trust the remote proxy host's > local admin or localsystem account? > > Thanks >
5

Also MS-DHCP proxy AD account should have at least the below NTFS
permissions :

  1. Read/List/Execute to the proxy folder - i.e. *C:\ForemanProxy160*

  2. Write to the proxy's log folder - i.e. C:\ForemanProxy160\log

Evgeny

··· On Monday, September 29, 2014 10:00:06 AM UTC-7, Evgeny Vasilchenko wrote: > > Hi, > > You have to run MS-DHCP smart proxy under a *AD domain account* which is > member of *DHCP Administrators group* (true for Windows 2008 R2 and I > belive for 2012) > > I use runas.exe command to start proxy process - I do not run it as a > Windows service. It works fine however. > > *runas /user:DOMAIN\svcForemanProxy /savecred "C:\Ruby187\bin\ruby.exe > C:\ForemanProxy160\bin\smart-proxy"* > > Evgeny > > > On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote: >> >> Hi All, >> >> If you run a foreman proxy accessing Microsoft's DHCP, what sort of user >> account do you run the service as? >> >> Do I need to run the ms-dhcp proxy on the DHCP server? The documentation >> seems to indicate I don't, but my current installation doesn't seem to have >> permission to access the external DHCP server. >> >> From my proxy.log the command being run is: >> >> c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp >> server 172.16.1.2 show scope >> >> If I run that command in a normal user shell I get a message about >> elevated privileges being required. If I run that command in an >> administrator shell, I get "Access Denied". >> >> Does anyone have any insight to this? If I run the proxy on a separate >> windows host, does the DHCP server need to trust the remote proxy host's >> local admin or localsystem account? >> >> Thanks >> >
6

Thank you, Evgeny :slight_smile:

··· On Monday, September 29, 2014 1:00:06 PM UTC-4, Evgeny Vasilchenko wrote: > > Hi, > > You have to run MS-DHCP smart proxy under a *AD domain account* which is > member of *DHCP Administrators group* (true for Windows 2008 R2 and I > belive for 2012) > > I use runas.exe command to start proxy process - I do not run it as a > Windows service. It works fine however. > > *runas /user:DOMAIN\svcForemanProxy /savecred "C:\Ruby187\bin\ruby.exe > C:\ForemanProxy160\bin\smart-proxy"* > > Evgeny > > > On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote: >> >> Hi All, >> >> If you run a foreman proxy accessing Microsoft's DHCP, what sort of user >> account do you run the service as? >> >> Do I need to run the ms-dhcp proxy on the DHCP server? The documentation >> seems to indicate I don't, but my current installation doesn't seem to have >> permission to access the external DHCP server. >> >> From my proxy.log the command being run is: >> >> c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp >> server 172.16.1.2 show scope >> >> If I run that command in a normal user shell I get a message about >> elevated privileges being required. If I run that command in an >> administrator shell, I get "Access Denied". >> >> Does anyone have any insight to this? If I run the proxy on a separate >> windows host, does the DHCP server need to trust the remote proxy host's >> local admin or localsystem account? >> >> Thanks >> >