Invoking Powershell via C# in a web application - issues with app pool identity -


i have written stuff execute powershell via c# using runspacefactory.

i loading default powershell profile this: 

   runspace runspace = runspacefactory.createrunspace();    runspace.open();    string scripttext = @". .\" + scriptfilename + "; " + command;    pipeline pipeline = runspace.createpipeline(scripttext);

command = function profile know works.

all of powershell stuff wrapped in impersonator.

for avoidance of doubt, $profile = c:\users\administrator\documents\windowspowershell\microsoft.powershell_profile.ps1

this web application running under iis 7.5

if iis app runs under 'administrator' account, works. under other account throws error:

"the term '.\microsoft.powershell_profile.ps1' not recognized name of cmdlet, function, script file, or operable program. check spelling of name, or if path included, verify path correct , try again."

as impersonating 'administrator' account assumed location correct.

some logging invoked 'get-location' reports directory should be.

out of bloody mindedness tried force with:

  system.environment.currentdirectory = dir;

... , attempt @ invoked 'set-location'. these work, if invoke 'get-location' runspace reports same directory before (the correct one).

i thought that, perhaps, there might problem impersonation, wrote tests touch file system in ways app pool shouldn't able do. these work.

i checked this: 

string contextusername = system.security.principal.windowsidentity.getcurrent().name;

which reports correct user both when code 'wrapped' in impersonator, , when executed via app pool identity. got desperate , tried invoke: 

 @"cmd /c dir"

... (and get-childitem). both commands return:

{}

...when running under app pool identity (regardless of impersonation), full , accurate directory listing of correct directory when app pool running 'administrator'.

i sure missing stupid , fundamental here, if give me guidance on i've made mistake in thinking (and code), great.

this kind of "well known" issue using powershell in asp.net when in impersonated context: doesn't work way people think should work.

the reason because powershell, behind covers, spins thread of work. new thread inside powershell not inherit impersonated context.

the fix isn't pretty. this msdn blog post recommends setting asp.net flow impersonation policy (so thread behind scenes gets identity):

<configuration>     <runtime>         <legacyimpersonationpolicy enabled="false"/>         <alwaysflowimpersonationpolicy enabled="true"/>     </runtime> </configuration>

another, uglier approach (though less hacky) use winrm. can use loopback powershell session (connect localhost) powershell, , let winrm handle impersonation. requires version 3.0.0.0 of system.management.automation.

var password = "helloworld"; var ss = new securestring(); foreach (var passchar in password) {     ss.appendchar(passchar); } var pscredential = new pscredential("username", ss); var connectioninfo = new wsmanconnectioninfo(new uri("http://localhost:5985/wsman"), "http://schemas.microsoft.com/powershell/microsoft.powershell", pscredential); using (var runspace = runspacefactory.createrunspace(connectioninfo)) {     connectioninfo.enablenetworkaccess = true;     using (var powershell = powershell.create())     {

this tacky solution because requires winrm's windows service running, , configuring winrm. winrm isn't "that works", gets job done in first option isn't suitable.

the url used in wsmanconnectioninfo localhost winrm endpoint, default listens on port 5985 in version 3, , credentials specified connection.


Comments

Post a Comment

Popular posts from this blog

How to remove text and logo OR add Overflow on Android ActionBar using AppCompat on API 8? -

have researched death , cannot find answer. i have actionbar using appcompat. supporting api v7 (api v8 do). actionbar works api v11. api < v11 has problem of removing icon (and feature) actionbar without supplying overflow. big picture have app logo, app title, , 3 icons squidging same actionbar on low end phone. trying make room! i happy 1 of 2 solutions. either: a method of getting overflow functionality can retrieved pull down. (preferred) method of removing icon , text actionbar below current xml api 11+: <resources> <!-- base application theme api 11+. theme replaces appbasetheme res/values/styles.xml on api 11+ devices. --> <style name="appbasetheme" parent="theme.appcompat.light.darkactionbar"> <item name="android:actionbarstyle">@style/liteactionbarstyle</item> <item name="actionbarstyle">@style/liteactionbarstyle</item> </st...
Read more

html - How to style widget with post count different than without post count -

i have border below li elements in wordpress widget types appropriate. element inside set block gives them nice easy click full width. the problem, when choose option "show post count" when adding widget such categories or archives displays post count plain text after tag , because tag block pushes post number text line below. whether choose show post count or not show post count still gives exact same element identifyer example "widget_categories". how style post count not on next line still keep links non post count list items full width? here's example on sidebar www.bbmthemes.com/themes/modular/blog-standard/ in order solve problem need remove display:block; for ul.widgets ul a , add in it's place line-height: 33px; what going achieve have same visual effect. what going lose doing links going work on text , not on "box". the other way out of find post count coming , make changes this. example change text count i...
Read more

url rewriting - How to redirect a http POST with urlrewritefilter -

i have question urlrewritefilter , until not find in net. i want redirect http post in tomcat7. here example... the call http post ulr http://localhost:8080/oldapplication/example?a=123&b=2 this call contains content either xml or json. filter configured works , urlrewrite.xml contains: <?xml version="1.0" encoding="utf-8"?> <!doctype urlrewrite public "-//tuckey.org//dtd urlrewrite 4.0//en" "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd"> <urlrewrite use-query-string="true"> <rule> <condition type="method">post</condition> <from>^(.*)$</from> <to type="redirect">/newapplication$1</to> </rule> </urlrewrite> in access log can see call http://localhost:8080/oldapplication/example?a=123&b=2 gets redirected http://localhost:8080/newapplication/example?a=123&b=2 fine until now. pr...
Read more