ASP.NET PowerShell Impersonation

Posted by Ben on Stack Overflow See other posts from Stack Overflow or by Ben
Published on 2010-04-16T23:08:53Z Indexed on 2010/04/16 23:13 UTC
Read the original article Hit count: 1278

Filed under:
|
|

I have developed an ASP.NET MVC Web Application to execute PowerShell scripts.

I am using the VS web server and can execute scripts fine.

However, a requirement is that users are able to execute scripts against AD to perform actions that their own user accounts are not allowed to do.

Therefore I am using impersonation to switch the identity before creating the PowerShell runspace:

            Runspace runspace = RunspaceFactory.CreateRunspace(config);

        var currentuser = WindowsIdentity.GetCurrent().Name;

        if (runspace.RunspaceStateInfo.State == RunspaceState.BeforeOpen) {
            runspace.Open();
        }

I have tested using a domain admin account and I get the following exception when calling runspace.Open():

Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Requested registry access is not allowed.

The web application is running in full trust and I have explicitly added the account I am using for impersonation to the local administrators group of the machine (even though the domain admins group was already there).

I'm using advapi32.dll LogonUser call to perform the impersonation in a similar way to this post (http://blogs.msdn.com/webdav_101/archive/2008/09/25/howto-calling-exchange-powershell-from-an-impersonated-thead.aspx)

Any help appreciated as this is a bit of a show stopper at the moment.

Thanks Ben

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about powershell