Internet Information Services
Microsoft web server software.
1,637 questions
Did you set identity impersonate="true"?
asp.net create powershell as logged in user
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 22%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MarcJensensberger
0
Reputation points
Hi,
I am trying to start a powershell session from an asp.net web application. This works only with the service user stored in the application pool.
However, I need to run the powershell session in the user context.
Windows authentication is set and with
User.Identity.Name
I get back the username of the currently logged in user.
First I assemble the PowerShell command:
script = ("c:\\exchscripts\\WebApp-Scripte\\SomeScripts.ps1");
I start the shell as follows:
var shell = PowerShell.Create();
shell.Commands.AddScript("$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri " + connectionuri + " ; Import-PSSession -Session $Session");
shell.Commands.AddScript(script);
// Execute the script
var results = shell.Invoke();
Using
start-transcript
I see that the executing PowerShell user is the service user stored in the application pool.
But it should be the logged in user (via User.Identity.Name).
How do I get this right?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 57.99999999999999%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Jerry Fu - MSFT 576 Reputation points Microsoft Vendor2023-05-08T13:39:57.86+00:00 A bit confused. Could you paste transcript?
Sign in to comment
4 answers
Sort by: Most helpful
-
MotoX80 32,911 Reputation points2023-05-08T13:22:16.5933333+00:00 -
MarcJensensberger 0 Reputation points
2023-05-09T06:16:02.6166667+00:00 I had tried that. I get a 500 error on it.
I have not looked for the exact cause.
-
MarcJensensberger 0 Reputation points
2023-05-09T07:00:25.19+00:00 I have enabled impersonation via Web.config and the detailed Error reporting in IIS.
The 500 error came from the wrong pipline setting in the application pool. Integrated would not be supported. I have set it to Classic. Then it worked. The page can be opened.
The script is still executed with the service user of the application pool.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 61,731 Reputation points2023-05-08T14:54:37.1433333+00:00 You need to crate a process with the users token. See this example
with asp.net core, you use the impersonation context to get the token handle
-
MarcJensensberger 0 Reputation points
2023-05-09T06:16:33.37+00:00 I'll take a close look at that.
Sign in to comment -
-
MarcJensensberger 0 Reputation points
2023-05-09T06:18:16.7766667+00:00 I forgot to mention that it works under IIS Express directly from Visual Studio. Without any code changes.
The user who authenticates to the IIS Express site using Kerberos then also runs the script.
Only with IIS it does not work.
-
Bruce (SqlWork.com) 61,731 Reputation points
2023-05-09T15:38:36.2333333+00:00 IIS express code runs as the visual studio user, while iis uses the app pool account.
Sign in to comment -
-
MotoX80 32,911 Reputation points
2023-05-09T12:59:39.9233333+00:00 The first link that @Bruce (SqlWork.com) provided sounds like it addresses your issue. I also found this which might work better.
Put your script call where the example has "//Insert your code that runs under the security context of the authenticating user here."
Before you go too far though, are you aware of the "double hop" issue? I see where you included "Microsoft.Exchange", so it looks like your site is going to connect to Exchange and do something on behalf of the client. You will need to set up Kerberos delegation for that to work.
Delegconfig is an old tool that I used to test with. This page explains the issue.
https://blogs.iis.net/bretb/How-to-Use-DelegConfig
This appears to be the last (current?) version of the test tool. I don't know what it will take to get it working on current IIS installs. Sorry, I'm retired now, and no longer have access to an AD environment and all of my old test sites.
I also found this which appears to be an updated Kerberos test tool. I have not tested this. I think that I would try this tool first.
https://github.com/SurajDixit/KerberosConfigMgrIIS
See "Configuration for double hop".
You might find that it is easier to prompt the user for their password and launch a Powershell.exe process using the user's credentials. That will insure that you can connect to Exchange.