Reputation: 229
Executing powershell threads in IIS as impersonated user
I've been working on a web application that makes use of Powershell scripts. For some reason, even with ASP.NET impersonation, I am getting "access denied" errors on commands that require elevated access.
The web application is deployed via IIS 7.5 running on a Windows 2008 R2 Standard SP1 Server.
I've checked the exception logged in event viewer and noticed that account being used in the spawned thread is the NETWORK SERVICE account :
From what I can tell, this means that impersonation is not being carried to powershell cmdlet threads. I am confident that the user to be impersonated should have access to run the script but it looks like the permissions being used are those of the NETWORK SERVICE account which is not the goal.
I've also made the following changes to the aspnet.config file as suggested in a few articles I've read to no avail:
<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy enabled="true"/>
Here's a snippet of the ASP NET C# code to help explain my situation:
//Create Runspace
RunspaceConfiguration psConfig = RunspaceConfiguration.Create();
Runspace psRunspace = RunspaceFactory.CreateRunspace(psConfig);
//Configure runspace to run on the current thread
psRunspace.ApartmentState = System.Threading.ApartmentState.STA;
psRunspace.ThreadOptions = System.Management.Automation.Runspaces.PSThreadOptions.UseCurrentThread;
using (Pipeline psPipeline = psRunspace.CreatePipeline())
{
psRunspace.Open();
psPipeline.Commands.AddScript("C:\\Scripts\\Powershell\\MyScript.ps1");
// Invoke the cmdlet
var results = psPipeline.Invoke();
var builder = new StringBuilder();
foreach (var psObject in results)
{
// Convert the Base Object to a string and append it to the string builder.
// Add \r\n for line breaks
builder.Append(psObject.BaseObject.ToString() + "\r\n");
}
//Display the results
ResultBox.Text = builder.ToString();
I have spent the last 5 hours getting this to work. Any help would be greatly appreciated. Thanks!
Upvotes: 0
Views: 1681
Answers (2)
Reputation: 11
please try following solution - it works for me in a SharePoint environment
public ListUsersPS(string searchstring)
{
....
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsImpersonationContext ctx = null;
ctx = identity.Impersonate();
Runspaceconfiguration connectionInfo = Runspaceconfiguration.Create();
...
using (Runspace rsp = Runspacefactory.Createrunspace(connectionInfo))
{
...
}
...
}
Upvotes: 1
Reputation: 1
Have you tried by changing the user running your IIS process?
In IIS you are able to change the user running your application pool. Be carefull if multiple application use the same application pool.
To change the user running your application pool in IIS, click on Advanced settings, there is a section called Process Model and Identity.
Upvotes: 0
Related Questions
- Using PSCredentials in C# code
- Impersonate user with powershell
- Enabling Impersonation in IIS 7.5 via Powershell
- Run powershell from an ASP.net web app as a different user?
- Run powershell as logged windows user in ASP.net intranet
- Invoke Powershell command from C# with different credential
- ASP.Net application executing powershell scripts as IIS_USR
- Invoking Powershell via C# in a web application - issues with app pool identity
- ASP.NET PowerShell Impersonation
- How do you impersonate an Active Directory user in Powershell?