Starting a process in C# with username & password throws "Access is Denied" exception

Question

Inside a .NET 3.5 web app running impersonation I am trying to execute a process via:

var process = new Process 
             { StartInfo = 
                    { CreateNoWindow = true, 
                      FileName = "someFileName", 
                      Domain = "someDomain", 
                      Username = "someUserName", 
                      Password = securePassword, 
                      UseShellExecute = false
                    }
             };

process.Start();

-Changing the trust mode to full in web.config did not fix.

-Note the var securePassword is a secureString set up earlier in the code.

This throws an exception with 'Access is Denied' as its message. If I remove the username and password information, the exception goes away, but the process starts as aspnet_wp instead of the user I need it to.

I've seen this issue in multiple forums and never seen a solution provided. Any ideas?

Answer 1

I went a different way and put the whole application in its own app-pool running as the user we were originally impersonating. Now, when asp.net spawns a new process, it spawns under the context of the user instead of aspnet_wp. Not the exact solution to the problem I posted, but it worked for our situation.

Answer 2

Not sure if this is it, but I had a related problem and the answer was that the account didn't have permission to impersonate on the machine. This can be changed by adding the account to the Policy "Impersonate a client after authentication" using the local policy manager on the machine.

Answer 3

I wanted to mention that I have tried the code at this site including the updated code mentioned in the comments. This code runs the process as the impersonated identity (which is really all I need), but the redirecting of the standard error fails -- so this link could be useful to those not concerned with dealing with the stderr.

Answer 4

Check the Code Access Security level as Process requires Full Trust. Your web application may be running in a partial trust setting.

From the Process MSDN page:

Permissions

* LinkDemand
for full trust for the immediate caller. This class cannot be used by partially trusted code.

* InheritanceDemand
for full trust for inheritors. This class cannot be inherited by partially trusted code.

Answer 5

I ran into the same problem that you did on a project. There should be a way to spawn a process out of your web app with given credentials, but in practice, it's a kludge at best. What I wound up finally doing was just having the app push information to an MSMQ and having a windows service that popped items of the Queue an serviced the requests.

Even when you appliation is impersonating, it still wants to run under theaspnet user account.

Answer 6

You can use ProcessStartInfo which allows you to specify credentials. The trick is that the password is a secure string, so you have to pass it as a byte array.

The code might look something like:

Dim startInfo As New ProcessStartInfo(programName)
        With startInfo
            .Domain = "test.local"
            .WorkingDirectory = My.Application.Info.DirectoryPath
            .UserName = "testuser"
            Dim pwd As New Security.SecureString
            For Each c As Char In "password"
                pwd.AppendChar(c)
            Next
            .Password = pwd

            'If you provide a value for the Password property, the UseShellExecute property must be false, or an InvalidOperationException will be thrown when the Process..::.Start(ProcessStartInfo) method is called. 
            .UseShellExecute = False

            .WindowStyle = ProcessWindowStyle.Hidden
        End With