Authenticated User Impersonation in Classic ASP under IIS7
Posted
by
user52663
on Server Fault
See other posts from Server Fault
or by user52663
Published on 2010-08-28T03:24:56Z
Indexed on
2012/05/31
10:42 UTC
Read the original article
Hit count: 409
I've recently moved one of our servers from Server 2003 and IIS6 to Server 2008 R2 and IIS7 (technically IIS7.5 I suppose). In doing so I am transitioning a small account management tool written in classic ASP and have run into a problem with user impersonation. Extensive searching hasn't been much help so far.
Under IIS6, the site was configured to impersonate the logged-in user. Thus, if a domain admin logged in, he was able to run commands to create user directories, adjust permissions, etc. Using Procmon you can see the processes executing as that user. This worked fine.
However, with the same code under IIS7, I am unable to get this behavior. I have enabled Basic Authentication, disabled Anonymous Auth, enabled impersonation and have changed the app pool to classic instead of integrated pipelining. Everything seems to be configured correctly, however, all the processes launched by the classic ASP site continue to run as the default AppPool identity and not the logged-in user.
If it matters, programs are being launched with code such as:
set Wsh = Server.CreateObject("WScript.Shell")
Wsh.Run("cmd.exe /C mkdir D:\users\foo")
Monitoring via Procmon shows cmd.exe being run as either "Classic .NET AppPool" or "DefaultAppPool" depending on the pipeline mode.
Any suggestions on how to get the classic ASP site to impersonate and execute as the authenticated user would be great. Thanks!
© Server Fault or respective owner