Starting a process in C# with username & password throws "Access is Denied" exception

Question

Inside a .NET 3.5 web app running impersonation I am trying to execute a process via:

var process = new Process 
             { StartInfo = 
                    { CreateNoWindow = true, 
                      FileName = "someFileName", 
                      Domain = "someDomain", 
                      Username = "someUserName", 
                      Password = securePassword, 
                      UseShellExecute = false
                    }
             };

process.Start();

-Changing the trust mode to full in web.config did not fix.

-Note the var securePassword is a secureString set up earlier in the code.

This throws an exception with 'Access is Denied' as its message. If I remove the username and password information, the exception goes away, but the process starts as aspnet_wp instead of the user I need it to.

I've seen this issue in multiple forums and never seen a solution provided. Any ideas?

any final solution with full source code sample working about it ? — Kiquenet, Jul 05 '13 at 07:09

score 2 · Answer 1 · answered Sep 23 '08 at 15:32

You can use ProcessStartInfo which allows you to specify credentials. The trick is that the password is a secure string, so you have to pass it as a byte array.

The code might look something like:

Dim startInfo As New ProcessStartInfo(programName)
        With startInfo
            .Domain = "test.local"
            .WorkingDirectory = My.Application.Info.DirectoryPath
            .UserName = "testuser"
            Dim pwd As New Security.SecureString
            For Each c As Char In "password"
                pwd.AppendChar(c)
            Next
            .Password = pwd

            'If you provide a value for the Password property, the UseShellExecute property must be false, or an InvalidOperationException will be thrown when the Process..::.Start(ProcessStartInfo) method is called. 
            .UseShellExecute = False

            .WindowStyle = ProcessWindowStyle.Hidden
        End With

Suppose the process is an exe of VB6 application.Do i need to amend Vb6 application too on the project load? or To create some GLOBAL parameter in VB6 to catch the UserName or Password sent from this program and to check if these parameter exists then to perform the VB6 application's login screen's login button click. — Teju MB, Dec 24 '13 at 03:50
@TejuMB In the original question and in my answer, ProcessStartInfo is only being used to shell out a process as a different Windows user (presumably because the permissions are different). There is an Arguments property on ProcessStartInfo [link]http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.arguments(v=vs.110).aspx so that you could also send parameters for which you could modify your VB6 app to receive, but that's outside of what this question is about. — Mike L, Dec 30 '13 at 20:27

score 1 · Answer 2 · answered Sep 24 '08 at 05:41

1

Not sure if this is it, but I had a related problem and the answer was that the account didn't have permission to impersonate on the machine. This can be changed by adding the account to the Policy "Impersonate a client after authentication" using the local policy manager on the machine.

answered Sep 24 '08 at 05:41

Brian ONeil

4,229
2
23
25

How to add the account to the policy "Impersonate a client after authentication"? – Teju MB Dec 24 '13 at 03:53
In Admin tools you will find "Local Security Policy" run that and select "User Rights Assignment". Find the "Impersonate a client after Authentication" in the list and double click it. Then you just need to add the user or a group the user belongs to. You can read more here http://technet.microsoft.com/en-us/library/dn221967.aspx about what it means to assign this. – Brian ONeil Dec 27 '13 at 02:42

score 1 · Answer 3 · answered Sep 29 '08 at 14:17

I went a different way and put the whole application in its own app-pool running as the user we were originally impersonating. Now, when asp.net spawns a new process, it spawns under the context of the user instead of aspnet_wp. Not the exact solution to the problem I posted, but it worked for our situation.

Charles Graham · Answer 4 · 2008-09-23T15:32:26.497

I ran into the same problem that you did on a project. There should be a way to spawn a process out of your web app with given credentials, but in practice, it's a kludge at best. What I wound up finally doing was just having the app push information to an MSMQ and having a windows service that popped items of the Queue an serviced the requests.

Even when you appliation is impersonating, it still wants to run under theaspnet user account.

score 0 · Answer 5 · answered Sep 23 '08 at 15:44

Check the Code Access Security level as Process requires Full Trust. Your web application may be running in a partial trust setting.

From the Process MSDN page:

Permissions

* LinkDemand
for full trust for the immediate caller. This class cannot be used by partially trusted code.

* InheritanceDemand
for full trust for inheritors. This class cannot be inherited by partially trusted code.

score 0 · Answer 6 · answered Sep 23 '08 at 16:22

I wanted to mention that I have tried the code at this site including the updated code mentioned in the comments. This code runs the process as the impersonated identity (which is really all I need), but the redirecting of the standard error fails -- so this link could be useful to those not concerned with dealing with the stderr.

Starting a process in C# with username & password throws "Access is Denied" exception

6 Answers6

Linked