Reputation: 3140
Remote PowerShell sessions from C# under ApplicationPoolIdentity
Using a Library I found from Microsoft, I have been attempting (with C#) to provision email accounts for my users with Live@Edu and the library uses remote PowerShell sessions to do this. I have wrapped the PowerShell calls with a using() { } block that impersonates a local administrator account. When I run the code on my own development machine it works great and provisions the account on Live@Edu, yet when I run the same code on the production server I get an Access is Denied error from PowerShell.
What I just noticed is if I change the IIS Application Pool user on the server to my own domain account everything works fine on the production server, but leaving it as ApplicationPoolIdentity does not work. So it appears that even though in my code I impersonate a local administrator, those credentials are not being passed on to the PowerShell session. Oddly enough, when the scripts run on my own machine, also under ApplicationPoolIdentity, there is no problem and that leads me to believe that the script is actually running under my own account on my machine (and I am a local administrator).
I did have the code spit out the value of $env:username and it gave me the machine name and I was expecting it to give me the actual username it runs under since that is what I get when I type that command directly into a PowerShell window.
When logged in to the remote server interactively using the credentials that I have been impersonating in code, I can manually type all of the PowerShell cmdlts into a PowerShell window and they work fine.
I don't want to have my IIS Application Pool always running under an administrator account as that sees foolish so is there a way of running the PowerShell script as an administrator that goes further than the current impersonation that I am doing?
UPDATE:
There was an odd thing that happened that sees to work as a solution for me. After deploying my code to the server I created added a local administrator account. I then went to the IIS Application Pool and changed the owner from ApplicationPoolIdentity to the admin account I just created. After that the page would work fine to run the PowerShell script. I already knew this from before, but didn't want to have IIS using an admin account. I then proceeded to set the Application Pool back to ApplicationPoolIdentity and removed the Local Admin account and the page still works!? I restarted IIS, and the Web Server itself, and everything works. All I can think is that moving the Application Pool over to an Admin account changed some attribute in the App pool permanently. I have now put a modified question on ServerFault.
Upvotes: 5
Views: 1310
Answers (1)
Reputation: 3140
Turns out the issue had to do with the Load User Profile option in the IIS App Pool for my app being set to False on the server (False is the default for Windows Server 2008). After reading up on this property I am not entirely sure why this matters for my scenario, but that was the one setting different in IIS on my local machine from what the Web Server had. Now all the PowerShell calls work flawlessly on the server.
Upvotes: 7
Related Questions
- Powershell Remoting with credential
- Powershell remote returning false positive on IIS:\AppPools lookup
- PowerShell remote session
- Remote powershell sessions can only be established with interactively entered credentials?
- Logon session issue with Remote PowerShell (Invoke-Command)
- Creating PowerShell remote session using C#
- PowerShell remoting from a Windows service
- Create remote powershell session in c#?
- Invoking Powershell via C# in a web application - issues with app pool identity
- Remote connect to powershell from C#