Impersonation and Hosting PowerShell

Impersonation and Hosting PowerShell

  • Comments 6

Some of you reported that Impersonation doesn’t work while hosting PowerShell in ASP.net applications.  The problem occurs when PowerShell's pipeline is invoked in the following way from an ASP.NET application:

         WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;

 

            WindowsImpersonationContext ctx = null;

            try

            {

                ctx = winId.Impersonate();

                Runspace myRunSpace = RunspaceFactory.CreateRunspace();

                myRunSpace.Open();

                Pipeline pipeline = myRunSpace.CreatePipeline(“[System.Security.Principal.WindowsIdentity]::GetCurrent().Name”);

                System.Collections.ObjectModel.Collection<PSObject> objectRetVal = pipeline.Invoke();

                myRunSpace.Close();

                //objectRetVal[0].BaseObject.ToString();

 

                ctx.Undo();

            }

 

Notice the thread’s identity is changed to impersonate CurrentUser identity but the pipeline.Invoke() results show the identity of the current process.  This is because pipeline.Invoke() method creates a thread called “Pipeline Execution Thread” and the command/script is executed in this new thread. In .net 2.0, by default the impersonation token does not flow across threads, so “Pipeline Execution Thread” doesn’t get the impersonation token of the calling thread. You can configure ASP.Net to flow the impersonation token to newly created threads by using “alwaysFlowImpersonationPolicy” and “legacyImpersonationPolicy” configuration elements in aspnet.config file like this:

 

<configuration>

                <runtime>

                             <legacyImpersonationPolicy enabled=”false”/>

                             <alwaysFlowImpersonationPolicy enabled=”true”/>

               </runtime>

</configuration>

 

For more details about impersonation see this article: http://msdn2.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_ifyouneedtoimpersonateconsiderthreadingi

 

Thanks

Krishna[MSFT]

Windows PowerShell Development

 

This posting is provided “AS IS” and confers no rights or warranties.

Leave a Comment
  • Please add 7 and 7 and type the answer here:
  • Post
  • Hello,

    Firstly i am sorry to post an unrelated question to this post. However i dont know where to post my questions. Here is my question

    Say I have 2 cmdlet’s

    Get-location

    Get-service

    When I create a test.ps1 file out of these 2 command and then run it, it will always do a

    Get-service |fl  in the output

    Ie. A full listing of the second command. Is there a way we can avoid this?

    thanks,

  • Helllo,

    I made the changes to the config file, but still impersonatation fails for PwerShell requests.

    Any ideas what I might do wrong ? I am using vb.net to do an impersonation with LogonUserA from the advapi.dll. Should I use another impersonation method ?

    BR,

    Ronald

  • Hi,

    I've the same Problem SharePoint. SharePoint is configured to impersonate the user but unfortunately the powershell runs always under the AppPool user. <alwaysFlowImpersonationPolicy enabled="true"/> doesn't help. Any idea?

    Bye,

    Christian

  • Sorry, my mistake. I have to change the settings on the machine level in the aspnet.config, not in the web.config.

    Hosting PowerShell is really a pleasure. I've developed a WF-PowerActivity for SharePoint, now I'm working on a PowerWebPart...

    Thanks for the really helpful post.

    Bye, Christian

  • If you want to put powershell into your applications or into ASP.NET then here is a sample of how you

  • Thanks Krishna!

    There is great blog entry about the same issue here: <a href="http://dotdotdotnet.spaces.live.com/blog/cns!2FEAF6B32EDB048D!141.entry">http://dotdotdotnet.spaces.live.com/blog/cns!2FEAF6B32EDB048D!141.entry</a>

Page 1 of 1 (6 items)