Did you set identity impersonate="true"?
asp.net create powershell as logged in user
Hi,
I am trying to start a powershell session from an asp.net web application. This works only with the service user stored in the application pool.
However, I need to run the powershell session in the user context.
Windows authentication is set and with
User.Identity.Name
I get back the username of the currently logged in user.
First I assemble the PowerShell command:
script = ("c:\\exchscripts\\WebApp-Scripte\\SomeScripts.ps1");
I start the shell as follows:
var shell = PowerShell.Create();
shell.Commands.AddScript("$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri " + connectionuri + " ; Import-PSSession -Session $Session");
shell.Commands.AddScript(script);
// Execute the script
var results = shell.Invoke();
Using
start-transcript
I see that the executing PowerShell user is the service user stored in the application pool.
But it should be the logged in user (via User.Identity.Name).
How do I get this right?
4 answers
Sort by: Most helpful
-
-
Bruce (SqlWork.com) 61,731 Reputation points
2023-05-08T14:54:37.1433333+00:00 You need to crate a process with the users token. See this example
with asp.net core, you use the impersonation context to get the token handle
-
MarcJensensberger 0 Reputation points
2023-05-09T06:18:16.7766667+00:00 I forgot to mention that it works under IIS Express directly from Visual Studio. Without any code changes.
The user who authenticates to the IIS Express site using Kerberos then also runs the script.
Only with IIS it does not work.
-
MotoX80 32,911 Reputation points
2023-05-09T12:59:39.9233333+00:00 The first link that @Bruce (SqlWork.com) provided sounds like it addresses your issue. I also found this which might work better.
Put your script call where the example has "//Insert your code that runs under the security context of the authenticating user here."
Before you go too far though, are you aware of the "double hop" issue? I see where you included "Microsoft.Exchange", so it looks like your site is going to connect to Exchange and do something on behalf of the client. You will need to set up Kerberos delegation for that to work.
Delegconfig is an old tool that I used to test with. This page explains the issue.
https://blogs.iis.net/bretb/How-to-Use-DelegConfig
This appears to be the last (current?) version of the test tool. I don't know what it will take to get it working on current IIS installs. Sorry, I'm retired now, and no longer have access to an AD environment and all of my old test sites.
I also found this which appears to be an updated Kerberos test tool. I have not tested this. I think that I would try this tool first.
https://github.com/SurajDixit/KerberosConfigMgrIIS
See "Configuration for double hop".
You might find that it is easier to prompt the user for their password and launch a Powershell.exe process using the user's credentials. That will insure that you can connect to Exchange.