1

I'm running an ASP web application that should start a Powershell script on the server. To run this Powershell script a lot of Domain rights are needed. So I run the apppool under a user that has all the rights. But when I start the powershellscript I alway get the that the access is denied.

Has any one an idea how to solve the problem?

When I start a process as described, is the process running under the usercontext of the app pool or under the usercontext of the user which is logged in in the ASP.NET web application?

I'ver tried two methods 1.

string cmdArg = "C:\\Scripts\\test.ps1 " + username;
            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();
            Pipeline pipeline = runspace.CreatePipeline();

            pipeline.Commands.AddScript(cmdArg);
            pipeline.Commands[0].MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output);
            Collection<PSObject> results = pipeline.Invoke();
            runspace.Close();

            StringBuilder stringBuilder = new StringBuilder();
            foreach (PSObject obj in results)
            {
                stringBuilder.AppendLine(obj.ToString());
              string test =  Environment.UserName;
            }
            return results[0].ToString();

2.

string cmdArg = "C:\\Scripts\\test.ps1 " + username;
Process myProcess = new Process();
          ProcessStartInfo myProcessStartInfo = new ProcessStartInfo("powershell.exe",cmdArg);

            myProcessStartInfo.UseShellExecute = false;
            myProcessStartInfo.RedirectStandardOutput = true;
            myProcess.StartInfo = myProcessStartInfo;

            myProcess.Start();
            StreamReader myStreamReader = myProcess.StandardOutput;
            myProcess.WaitForExit();
            string myString = myStreamReader.ReadLine();

            return myString;

Ok, you think running the Apppool with these grand permissions is not best practise.

What about puting a webservice between? The webservice is in an appdomain that is only reachable from localhost?

Update Ok, I've written an asp.net webservice. The webservice runs in an applicationpool with all rights but is only reachable from localhost. The webservice contains the code to start the script. The ASP MVC3 webapplication is running in a applicationpool with nearly no rights. But when the webmethod is executed I always get an error that tell me, that I haven't enought rights. I tried to set the impersonate in the webconfig false, but without success.

Does anyone know how to solve this probleme?

Update:

I've read out the current user who execute the powershell when I start it from the webservice. I says it is the user who've got all rights. But the ps throws Errors like: you can't start a method with value null.

Then I've tried to run the ps with runsas as a low level user. I get the same errors.

Then I've tried to run the ps with the same user as in the webservice and everything worked!

Is there anyone who could explain this phenomenon? And what is the different between my code above and a runas? (same user context)

thanks a lot!

HW90
  • 1,953
  • 2
  • 21
  • 45
  • 1
    If this is a production website, I really wouldn't do this. You are introducing a huge security hole and probably a performance/usability issue as well. Personally I would create a separate service or something which can then do work based on some event such as a row being inserted into a database by the web application. – s1mm0t Dec 08 '11 at 13:01
  • 1
    Could you post the code you are using to start the process please? By default, the process should run as the process the app pool is running as unless you have impersonation turned on. Check the event log on the machine also as you'll probably see the access denied errors, along with the user, there. – dash Dec 08 '11 at 13:01
  • 1
    http://stackoverflow.com/questions/8061362/starting-a-process-from-asp-net-why-does-the-process-immediately-die/8061534#8061534 – Adrian Iftode Dec 08 '11 at 13:09

2 Answers2

0

I suppose this merely depends on the impersonation settings, if impersonation is enabled, then the currently logged in user is used, otherwise the app pool user

Alexander Yezutov
  • 3,144
  • 2
  • 21
  • 23
0

Starting a new process in a HTTP request is not great for performance and it may also be a security risk. However, before ASP.NET and other modern web servers was available the only way to serve content (besides static files) was to execute a program in a separate process.

The API for doing this called the Common Gateway Interface (CGI) and still supported by IIS. If configured correctly you can execute a program on each request.

I'm not sure that you can use CGI to execute a script but then you can create an ISAPI filter that will execute PowerShell on files having extension .ps1. This is basically how for instance php.exe is executed in a new process when a file with extension .php is requested.

Enabling executable content can and should be done on a folder-by-folder basis to limit the security risk. In general you should avoid mixing different kinds of content, ie. it should not be possible to both view a script and also execute it.

If you intention is to be able to remotely run PowerShell scripts and not much else it should also be easy to write a small HTTP server in PowerShell completely removing IIS and ASP.NET from the equation.

Martin Liversage
  • 104,481
  • 22
  • 209
  • 256
  • Thanks a lot for your detailed answer! I want to use the webservice and the IIS because there are much more functions inside. I've updated my question again. – HW90 Dec 15 '11 at 15:05