6

I am building an asp.net mvc application which will operate as a wrapper for a number of powershell scripts we've written to manage day to day tasks (with the end goal of making it easy for a non technical person to use the scripts).

I've managed to get the scripts executing nicely:

var ctx = System.Web.HttpContext.Current;
var file = ctx.Server.MapPath("~/Content/Powershell/psStoreLive.ps1"); #activate a store
var shell = PowerShell.Create();
shell.AddCommand(file);  
shell.AddArgument(o.DBName);   # which store should we activate
var results = shell.Invoke();  # and then process the results....display output of script

The problem is that the scripts are being executed as IIS_USR (or similar).

I need to find a way to get the IIS server to execute the scripts as the current logged in user ( using Windows Authentication ( <authentication mode="Windows" /> ) ).

I've seen http://stackoverflow.com/questions/10837377/loginview-and-passing-credentials-to-powershell and, while that looks like it will maybe work, I am not satisfied with the idea.

It seems to me that I should be able to do this with some C# code, as in the code-block above, but I've been unable to turn up anything with my searches that will do it.

How can I create a powershell environment in C# that will execute as a logged-in user (I'd settle for even re-asking for credentials, if necessary)

Thanks

Edit 1

I have looked at the PSCredential object, and that seems to be the right kind of thing, but I still can't figure out how I might plug it into a session overall (lots of info about using it as a parameter to a cmdlet that requires a credential)

reidLinden
  • 4,020
  • 4
  • 31
  • 46
  • 1
    What do you mean by the _current logged in user_? Currently logged into the application? If so, how do you authenticate them? – arco444 Oct 30 '14 at 20:11
  • Apologies. I am using Windows Authentication ( `` ) , so they will be authenticated against my domain. – reidLinden Oct 30 '14 at 20:15
  • Have you looked at this http://stackoverflow.com/questions/559719/windows-impersonation-from-c-sharp – Keith Hill Oct 31 '14 at 04:24
  • @KeithHill -- No, I hadn't seen that. I'm currently looking at http://incoherenttruth.wordpress.com/2011/01/05/execute-powershell-cmdlets-from-asp-net-with-user-impersonation/ , and it looks to be the same (general) idea ... – reidLinden Oct 31 '14 at 12:45
  • FWIW, I've done this in the past and it was a lot of coding, but it was very similar to the code in @KeithHill's suggestion, I had to use the Windows API directly. Was going to post some of it here but I was doing Forms Authentication not Windows, so was generating the token using a password. Sounds like you might be able to get it from the current context somehow. – arco444 Oct 31 '14 at 12:59

2 Answers2

1

I have an ASP.NET site that needs rights to a share to run EXEs and .BAT Files.

This example is using application pool and a local account, you can use a domain account as well.

  1. Create a local account on the server (make it an admin on the server)
  2. Give that account full rights to the folder where the powershell script it.
  3. Create a new IIS Pool and set the account to run under this new local account
  4. Change your site in IIS to use this new pool
Elim Garak
  • 1,728
  • 1
  • 16
  • 21
0

Although you might be able to do this, the security implications are not very nice.

For a similar requirement we have created a service layer that handles incoming requests to run a script or command and stores them for a client to pull them of the queue and execute them.

The client could be either a windows service or just a script running on the machine.

There is a very good reason that a web application does not have access to local resources on the computer or network where it is running.

If you want to do it anyway, just configure the application pool to use a different identity as suggested above.

Jower
  • 565
  • 2
  • 8