1,745 questions
Did you set identity impersonate="true"?
asp.net create powershell as logged in user
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 22%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MarcJensensberger
0
Reputation points
Hi,
I am trying to start a powershell session from an asp.net web application. This works only with the service user stored in the application pool.
However, I need to run the powershell session in the user context.
Windows authentication is set and with
User.Identity.Name
I get back the username of the currently logged in user.
First I assemble the PowerShell command:
script = ("c:\\exchscripts\\WebApp-Scripte\\SomeScripts.ps1");
I start the shell as follows:
var shell = PowerShell.Create();
shell.Commands.AddScript("$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri " + connectionuri + " ; Import-PSSession -Session $Session");
shell.Commands.AddScript(script);
// Execute the script
var results = shell.Invoke();
Using
start-transcript
I see that the executing PowerShell user is the service user stored in the application pool.
But it should be the logged in user (via User.Identity.Name).
How do I get this right?
Windows development Internet Information Services
Developer technologies ASP.NET ASP.NET Core
4,815 questions
Developer technologies ASP.NET Other
3,597 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-05-08T13:39:57.86+00:00 A bit confused. Could you paste transcript?
Sign in to comment
4 answers
Sort by: Most helpful
-
MotoX80 36,291 Reputation points2023-05-08T13:22:16.5933333+00:00 -
MarcJensensberger 0 Reputation points
2023-05-09T06:16:02.6166667+00:00 I had tried that. I get a 500 error on it.
I have not looked for the exact cause.
-
MarcJensensberger 0 Reputation points
2023-05-09T07:00:25.19+00:00 I have enabled impersonation via Web.config and the detailed Error reporting in IIS.
The 500 error came from the wrong pipline setting in the application pool. Integrated would not be supported. I have set it to Classic. Then it worked. The page can be opened.
The script is still executed with the service user of the application pool.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator2023-05-08T14:54:37.1433333+00:00 You need to crate a process with the users token. See this example
with asp.net core, you use the impersonation context to get the token handle
-
MarcJensensberger 0 Reputation points
2023-05-09T06:16:33.37+00:00 I'll take a close look at that.
Sign in to comment -
-
MarcJensensberger 0 Reputation points
2023-05-09T06:18:16.7766667+00:00 I forgot to mention that it works under IIS Express directly from Visual Studio. Without any code changes.
The user who authenticates to the IIS Express site using Kerberos then also runs the script.
Only with IIS it does not work.
-
Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator
2023-05-09T15:38:36.2333333+00:00 IIS express code runs as the visual studio user, while iis uses the app pool account.
Sign in to comment -
-
MotoX80 36,291 Reputation points
2023-05-09T12:59:39.9233333+00:00 The first link that @Bruce (SqlWork.com) provided sounds like it addresses your issue. I also found this which might work better.
Put your script call where the example has "//Insert your code that runs under the security context of the authenticating user here."
Before you go too far though, are you aware of the "double hop" issue? I see where you included "Microsoft.Exchange", so it looks like your site is going to connect to Exchange and do something on behalf of the client. You will need to set up Kerberos delegation for that to work.
Delegconfig is an old tool that I used to test with. This page explains the issue.
https://blogs.iis.net/bretb/How-to-Use-DelegConfig
This appears to be the last (current?) version of the test tool. I don't know what it will take to get it working on current IIS installs. Sorry, I'm retired now, and no longer have access to an AD environment and all of my old test sites.
I also found this which appears to be an updated Kerberos test tool. I have not tested this. I think that I would try this tool first.
https://github.com/SurajDixit/KerberosConfigMgrIIS
See "Configuration for double hop".
You might find that it is easier to prompt the user for their password and launch a Powershell.exe process using the user's credentials. That will insure that you can connect to Exchange.