PowerShell impersonation (in C#) - not working
downatone
Hello all,
I'm having trouble with an asp.net site that invokes powershell when
hosted on IIS.
The site uses windows auth, I was expecting these credentials to be
passed through - but powershell seems to be using the app pools
credentials (NETWORK SERVICE ...).
I'm trying to impersonate the user as the code demonstrates below
without luck.
I tried what this site was suggesting:
'Windows PowerShell Blog : Impersonation and Hosting PowerShell'
(http://blogs.msdn.com/powershell/archive/2007/09/10/impersonation-and-hosting-powershell.aspx)
and have also looked at this one:
'Akash Blogging...... : HOWTO: Using PowerShell in ASP.NET (.NET
Framework 2.0)'
(http://blogs.msdn.com/akashb/archive/2009/01/30/howto-using-powershell-in-asp-net-net-framework-2-0.aspx)
Any other suggestions?
Code is as follows:
Code:
--------------------
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
Response.Write("Identity: " + winId.Name);
WindowsImpersonationContext ctx = null;
try
{
ctx = winId.Impersonate();
// Add VM.MoxyMedia snapin to configuration
RunspaceConfiguration runspaceConfig = RunspaceConfiguration.Create();
PSSnapInException psexception = new PSSnapInException("MoxyCmdlets general exception");
runspaceConfig.AddPSSnapIn("MoxyCmdlets", out psexception);
// Add configuration to runspace
Runspace runspace = RunspaceFactory.CreateRunspace(runspaceConfig);
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline("[System.Security.Principal.WindowsIdentity]::GetCurrent().Name");
Collection<PSObject> results = pipeline.Invoke();
foreach (PSObject result in results)
{
Response.Write(result.ToString());
}
runspace.Close();
ctx.Undo();
}
catch (Exception ex)
{
throw ex;
}
--------------------
--
downatone
Marc Sherman
a logging function in C# and in the powershell code and both log the thread
id (using Thread.CurrentThread.GetHashCode()). I've noticed that the thread
id's are different which leads me to conclude that RunspaceInvoke fires up a
new thread to run the powershell code. If that's the case with you, then
only your C# thread is impersonating, not your powershell thread.
Marc
"downatone" <gu...@unknown-email.com> wrote in message
news:da1e4b91b82fd428...@nntp-gateway.com...
downatone
Bump
--
downatone
downatone
> I too run powershell code from C# but I use RunspaceInvoke.Invoke(). I have
> a logging function in C# and in the powershell code and both log the thread
> id (using Thread.CurrentThread.GetHashCode()). I've noticed that the thread
> id's are different which leads me to conclude that RunspaceInvoke fires up a
> new thread to run the powershell code. If that's the case with you, then
> only your C# thread is impersonating, not your powershell thread.
>
> Marc
>
> "downatone" <gu...@unknown-email.com> wrote in message
>
> news:da1e4b91b82fd428...@nntp-gateway.com...
>
>
>
> > Hello all,
>
> > I'm having trouble with an asp.net site that invokes powershell when
> > hosted on IIS.
> > The site uses windows auth, I was expecting these credentials to be
> > passed through - but powershell seems to be using the app pools
> > credentials (NETWORK SERVICE ...).
> > I'm trying to impersonate the user as the code demonstrates below
> > without luck.
>
> > I tried what this site was suggesting:
> > 'Windows PowerShell Blog : Impersonation and Hosting PowerShell'
> > and have also looked at this one:
> > 'Akash Blogging...... : HOWTO: Using PowerShell in ASP.NET (.NET
> > Framework 2.0)'
>
> > Any other suggestions?
>
> > Code is as follows:
>
> > Code:
> > --------------------
>
> > WindowsIdentity winId =
> > (WindowsIdentity)HttpContext.Current.User.Identity;
> > Response.Write("Identity: " + winId.Name);
> > WindowsImpersonationContext ctx = null;
>
> > try
> > {
> > ctx = winId.Impersonate();
>
> > // Add VM.MoxyMedia snapin to configuration
> > RunspaceConfiguration runspaceConfig = RunspaceConfiguration.Create();
> > PSSnapInException psexception = new PSSnapInException("MoxyCmdlets
> > general exception");
> > runspaceConfig.AddPSSnapIn("MoxyCmdlets", out psexception);
>
> > // Add configuration to runspace
> > Runspace runspace = RunspaceFactory.CreateRunspace(runspaceConfig);
> > runspace.Open();
> > Pipeline pipeline =
> > Collection<PSObject> results = pipeline.Invoke();
>
> > foreach (PSObject result in results)
> > {
> > Response.Write(result.ToString());
> > }
>
> > runspace.Close();
> > ctx.Undo();
> > }
> > catch (Exception ex)
> > {
> > throw ex;
> > }
>
> > --------------------
>
> > --
> > downatone
I had added the following to my web.config:
<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy enabled="true"/>
Which I believe is meant to pass the impersonation onto any inner
threads ...
Still no luck, GetCurrent().Name within powershell is still returning:
NT AUTHORITY/NETWORK SERVICE
Could I allow powershell to run under this account by any chance?
cheers
Bob Landau
you typically you need to wait _more_ than a day prior to "bumping" your
request.
What version of Powershell are you using and what do you hope to accomplish?
With v2 there is native support for Powershell Web Services. This gives the
caller the ablity to invoke anything you've allowed them to do (in other
words the users identity is flowed). When I get time which hopefully will be
this weekend I'm hoping to look into this. Here is the link
The behavior you've seen I guess you know by now is exactly what should
happen by default. The process token will be used if you either create a new
thread or process in Windows without explicitly setting up impersonation.
Krishna made a typo in his blog; setting this attribute can only be made in
your web.config file not the aspnet.config as is mentioned. Other than this
I'd be surprised if the rest wasn't correct.
http://msdn.microsoft.com/en-us/library/ms229296.aspx
Sorry I've not tried this nor will likely get to it in the near future. I
could post back any gotcha's on using Powershell runtime to provide web
services which come across next week.
bob
"downatone" wrote:
> On Mar 25, 9:07 am, "Marc Sherman" <masherman1...@yahoo.com> wrote:
> > I too run powershell code from C# but I use RunspaceInvoke.Invoke(). I have
> > a logging function in C# and in the powershell code and both log the thread
> > id (using Thread.CurrentThread.GetHashCode()). I've noticed that the thread
> > id's are different which leads me to conclude that RunspaceInvoke fires up a
> > new thread to run the powershell code. If that's the case with you, then
> > only your C# thread is impersonating, not your powershell thread.
> >
> > Marc
> >
> > "downatone" <gu...@unknown-email.com> wrote in message
> >
> > news:da1e4b91b82fd428...@nntp-gateway.com...
> >
> >
> >
> > > Hello all,
> >
> > > I'm having trouble with an asp.net site that invokes powershell when
> > > hosted on IIS.
> > > The site uses windows auth, I was expecting these credentials to be
> > > passed through - but powershell seems to be using the app pools
> > > credentials (NETWORK SERVICE ...).
> > > I'm trying to impersonate the user as the code demonstrates below
> > > without luck.
> >
> > > I tried what this site was suggesting:
> > > 'Windows PowerShell Blog : Impersonation and Hosting PowerShell'
> > > (http://blogs.msdn.com/powershell/archive/2007/09/10/impersonation-and....)
> > > and have also looked at this one:
> > > 'Akash Blogging...... : HOWTO: Using PowerShell in ASP.NET (.NET
> > > Framework 2.0)'
> > > (http://blogs.msdn.com/akashb/archive/2009/01/30/howto-using-powershel....)