September 10th, 2007

Impersonation and Hosting PowerShell

PowerShell Team
PowerShell Team

Some of you reported that Impersonation doesn’t work while hosting PowerShell in ASP.net applications.  The problem occurs when PowerShell’s pipeline is invoked in the following way from an ASP.NET application:

         WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;

 

            WindowsImpersonationContext ctx = null;

            try

            {

                ctx = winId.Impersonate();

                Runspace myRunSpace = RunspaceFactory.CreateRunspace();

                myRunSpace.Open();

                Pipeline pipeline = myRunSpace.CreatePipeline(“[System.Security.Principal.WindowsIdentity]::GetCurrent().Name”);

                System.Collections.ObjectModel.Collection<PSObject> objectRetVal = pipeline.Invoke();

                myRunSpace.Close();

                //objectRetVal[0].BaseObject.ToString();

 

                ctx.Undo();

            }

 

Notice the thread’s identity is changed to impersonate CurrentUser identity but the pipeline.Invoke() results show the identity of the current process.  This is because pipeline.Invoke() method creates a thread called “Pipeline Execution Thread” and the command/script is executed in this new thread. In .net 2.0, by default the impersonation token does not flow across threads, so “Pipeline Execution Thread” doesn’t get the impersonation token of the calling thread. You can configure ASP.Net to flow the impersonation token to newly created threads by using “alwaysFlowImpersonationPolicy” and “legacyImpersonationPolicy” configuration elements in aspnet.config file like this:

 

<configuration>

                <runtime>

                             <legacyImpersonationPolicy enabled=”false”/>

                             <alwaysFlowImpersonationPolicy enabled=”true”/>

               </runtime>

</configuration>

 

For more details about impersonation see this article: http://msdn2.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_ifyouneedtoimpersonateconsiderthreadingi

 

Thanks

Krishna[MSFT]

Windows PowerShell Development

 

This posting is provided “AS IS” and confers no rights or warranties.

Author

PowerShell Team
PowerShell Team

PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.

0 comments

Discussion are closed.